WiredWX Hobby Weather ToolsLog in

 


WinBlueSoft Victim

3 posters

descriptionWinBlueSoft Victim EmptyWinBlueSoft Victim

more_horiz
system infected with winbluesoft
must boot in safe mode to get anything to run
attempted removal guide on this site but could not get malwarebytes program to execute
hijack log listing is included below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:54 PM, on 6/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.mpix.com/customer/uploading/activex/ImageUploader5.cab
O16 - DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} (Zenfolio Uploader) - http://www.zenfolio.com/zf/code/upload-ie-win-x86.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://imageevent.com/s/ImageUploader4.6.30.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://imageevent.com/s/ImageUploader4.7.16.cab
O20 - AppInit_DLLs: blocker.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (providercomcast) (tgsrvc_providercomcast) - SupportSoft, Inc. - C:\Program Files\providerComcast\bin\tgsrvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 11132 bytes

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot..."
  • Then find and select this file: C:\windows\system32\blocker.dll
  • Select okay and select yes to reboot.

Then after reboot, we need to tidy up a bit.

  • Open HijackThis again.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
    O20 - AppInit_DLLs: blocker.dll


  • Press "Fix Checked"
  • Close Hijack This.

Let me know once that is done.

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
ok, got that done

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    WinBlueSoft Victim CF_download_FF

    WinBlueSoft Victim CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    WinBlueSoft Victim Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    WinBlueSoft Victim Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
ComboFix 09-06-03.02 - Dave 06/04/2009 21:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2538 [GMT -7:00]
Running from: c:\documents and settings\Dave\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\docume~1\Dave\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Dave\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Dave\Application Data\inst.exe
c:\windows\107559pa5boz29d.cpl
c:\windows\109z9v5rus596.exe
c:\windows\10z10vir9s3e5.exe
c:\windows\11345n9z-a-virus7d5.dll
c:\windows\11349sp59bzt57f.bin
c:\windows\11b8b9czdoo550.dll
c:\windows\12059zo9m591.dll
c:\windows\1209b5czdoor2359.exe
c:\windows\12205aczdoo93091.cpl
c:\windows\12409n59-a-virzs24c.exe
c:\windows\13459szy2585.ocx
c:\windows\14009no5-a-virus5baz.cpl
c:\windows\14909worm5za.bin
c:\windows\1505zw5r9b6.exe
c:\windows\15165worm29z.ocx
c:\windows\151zspyware919.exe
c:\windows\15269worz654.dll
c:\windows\1566addwaze1945.dll
c:\windows\159929z5m544.ocx
c:\windows\160315orm2z9.ocx
c:\windows\160445oz9a-virus7d8.bin
c:\windows\1765hzcktoo5969.exe
c:\windows\18221notza-9irus555.bin
c:\windows\18236zac5tool4cb9.cpl
c:\windows\18922nzt-a-vi5us330.cpl
c:\windows\1895backdz9r1781.dll
c:\windows\1915spamb5t635z.exe
c:\windows\19705hazktool46.bin
c:\windows\19982ha9kt5oz149.cpl
c:\windows\19c95ddware7z0.cpl
c:\windows\19z84hac5tool91.bin
c:\windows\1a859p5warez83.dll
c:\windows\1afct5i9z1391.bin
c:\windows\1az5d9wnloader2194.cpl
c:\windows\1bffspyware39z5.cpl
c:\windows\1d5159zal962.dll
c:\windows\1d9bazkdo5r762.cpl
c:\windows\1f0asteaz9045.dll
c:\windows\1z15thief2059.cpl
c:\windows\1z494vi5us6f4.dll
c:\windows\1z625h9ef467.exe
c:\windows\1z695py293.dll
c:\windows\1z7995pambot78e.bin
c:\windows\1za5v9r2403.ocx
c:\windows\207ztr9j35a.exe
c:\windows\2099zownlo5der3218.bin
c:\windows\21052sp5zbot4d29.bin
c:\windows\21100wormz95.bin
c:\windows\21578s9azbot5945.cpl
c:\windows\21985spzmbotd5.cpl
c:\windows\21zspyw5r9561.cpl
c:\windows\22385ack9oozfa.bin
c:\windows\224159zambot5e.cpl
c:\windows\22513spam9ot4z8.bin
c:\windows\226769pam5ot8z.cpl
c:\windows\226915orm3z9.bin
c:\windows\2271not-9-vi5us32z.ocx
c:\windows\228z1not-a-vir5s949.bin
c:\windows\22c2t9izf32415.exe
c:\windows\22z03ha5k9ool648.cpl
c:\windows\240zsp9rse995.dll
c:\windows\2419threat19566z.dll
c:\windows\24394trojz54.ocx
c:\windows\2463spzwar92405.dll
c:\windows\24725virzs595.exe
c:\windows\24acadd59ze2360.exe
c:\windows\25208zi5us90e.ocx
c:\windows\2525parse529z.bin
c:\windows\25425vzrus951.cpl
c:\windows\25451worm59ez.bin
c:\windows\2577doznlo9der1391.ocx
c:\windows\25927trojz53.dll
c:\windows\2597virus64z5.bin
c:\windows\25d0ba5kdozr1991.cpl
c:\windows\27392spzmbot958.ocx
c:\windows\27z35spambot3d9.exe
c:\windows\28181hz5kto9l317.cpl
c:\windows\2829zsp9750.ocx
c:\windows\28789nzt-a-virus3bc5.exe
c:\windows\29009spazb5t51b.bin
c:\windows\29077noz-a-vir5s3129.exe
c:\windows\2955threat16573z.cpl
c:\windows\298csteal1z59.ocx
c:\windows\29955zpambot47.exe
c:\windows\2aecvz59595.bin
c:\windows\2bf9spy5z9e658.exe
c:\windows\2ed0b59kdooz2546.exe
c:\windows\2f1cspz5ar92466.ocx
c:\windows\2f99zp9r5e1289.cpl
c:\windows\2fd5downloader19z9.exe
c:\windows\2fz9spyw9re19325.dll
c:\windows\2z1abac9door9315.dll
c:\windows\2z28do5nloa9er63.exe
c:\windows\2z317t5oj796.cpl
c:\windows\2z5cvir1159.bin
c:\windows\2z698v9rus755.cpl
c:\windows\2z854not-5-v9rus41d.exe
c:\windows\2z96sp59se2255.bin
c:\windows\30091troj59z9.cpl
c:\windows\3055not-a9vir5s4e7z.bin
c:\windows\30974zirus21a5.bin
c:\windows\31595szambot51f5.cpl
c:\windows\31959ackt5oz2ef.cpl
c:\windows\31z56spam59t160.ocx
c:\windows\31z8vi518229.cpl
c:\windows\3297zackdoor653.ocx
c:\windows\32982haczt5ol731.cpl
c:\windows\33e9d9wnlzader1512.ocx
c:\windows\346vi92516z.ocx
c:\windows\35336worm5ez9.ocx
c:\windows\35352w9zm53e.exe
c:\windows\3539add9are2z86.exe
c:\windows\359dzteal489.exe
c:\windows\35ds5ars9168z.bin
c:\windows\3675dzwn5oader12399.dll
c:\windows\37b7zt9al5162.bin
c:\windows\3821t59ef2952z.ocx
c:\windows\391vzru518d.exe
c:\windows\3925wzrm435.ocx
c:\windows\392aba9kz5or1825.exe
c:\windows\3998zworm3f35.ocx
c:\windows\3c43tzre9t52171.ocx
c:\windows\3c53thizf9358.dll
c:\windows\3cz1thr59t15732.exe
c:\windows\3z070wor952b.bin
c:\windows\3z925t9oj6f0.ocx
c:\windows\3z93downloader5408.cpl
c:\windows\3z95steal1039.cpl
c:\windows\41cb9d5ware18z8.cpl
c:\windows\422azddware1359.dll
c:\windows\42a2dzw59oader631.dll
c:\windows\4327spz5dc9.exe
c:\windows\4343z9r1015.ocx
c:\windows\44085p9waze1705.dll
c:\windows\4459zhief75.exe
c:\windows\4533zhre9t29693.cpl
c:\windows\4562d9wnloa5er4z9.bin
c:\windows\45b6d9wnloader307z5.ocx
c:\windows\4690sp5za9.cpl
c:\windows\48aeb9c5doorz078.bin
c:\windows\4947stzal5577.ocx
c:\windows\495zthief9857.cpl
c:\windows\499e5zdware1822.bin
c:\windows\499t5iefz223.dll
c:\windows\49c0tzief19235.exe
c:\windows\4aafspzware12595.ocx
c:\windows\4afzpa9s5933.dll
c:\windows\4bdbszywa9e3075.dll
c:\windows\4e9athzef1513.cpl
c:\windows\4efzs95rse1697.bin
c:\windows\4f6zste5l5879.ocx
c:\windows\4fdc59wnloader2338z.cpl
c:\windows\4z29steal1859.cpl
c:\windows\4z54spamb9t35f.dll
c:\windows\4z8fs95al603.ocx
c:\windows\4zfdthie51790.dll
c:\windows\5009s9z5f5.ocx
c:\windows\504fdown5oadzr16989.cpl
c:\windows\50990spamb9t310z.exe
c:\windows\509worm5z59.cpl
c:\windows\50z59ir704.ocx
c:\windows\5113dow5lozde91729.bin
c:\windows\51436spa9bot6dz.dll
c:\windows\522szeal93565.dll
c:\windows\52b3zpywa9e351.exe
c:\windows\52e2doznload59405.exe
c:\windows\533abackdooz25169.dll
c:\windows\54107hackt9olz7.dll
c:\windows\5440b9ckzoor2891.exe
c:\windows\54883h9cktoolz5f.cpl
c:\windows\54hackzool22a9.ocx
c:\windows\5531zo9-a-virus51c.bin
c:\windows\55339ir1z7.ocx
c:\windows\5553hacktz9l42.bin
c:\windows\557fdownlzader2982.bin
c:\windows\55z15hief2294.exe
c:\windows\55zvir964.bin
c:\windows\5624szarse19185.dll
c:\windows\5654v9zus6e8.cpl
c:\windows\5659zwormda.exe
c:\windows\5660spazb9t5e.dll
c:\windows\569dba5kdooz1961.bin
c:\windows\56z0addwa59567.bin
c:\windows\57245pa9sz712.cpl
c:\windows\578avi59966z.cpl
c:\windows\57eespywar91z50.bin
c:\windows\57z59rojef.bin
c:\windows\580069acktozl53a.cpl
c:\windows\581zspy9a75.dll
c:\windows\58955virzs1d8.exe
c:\windows\5926zir2754.cpl
c:\windows\59c6stealz503.cpl
c:\windows\59z8worm512.cpl
c:\windows\5a6add5zr9175.bin
c:\windows\5a76sze952968.exe
c:\windows\5aczthie9290.bin
c:\windows\5af1sparse29z9.cpl
c:\windows\5b2d9zr364.ocx
c:\windows\5b6szar9e2556.dll
c:\windows\5bb0sparze99445.dll
c:\windows\5ca5sp9zare523.cpl
c:\windows\5cb4steal28z99.exe
c:\windows\5d2c9tealz732.cpl
c:\windows\5e5bth9e5t3z775.bin
c:\windows\5f59stzal2607.dll
c:\windows\5f999teal236z.exe
c:\windows\5z535hr9at2893.dll
c:\windows\5zdbvir19549.exe
c:\windows\60b1v5z2096.cpl
c:\windows\61a5spyza9e2093.cpl
c:\windows\62e1b95kdozr2973.bin
c:\windows\62e3z5reat186149.dll
c:\windows\64z69teal31405.cpl
c:\windows\6549wzrm4be.bin
c:\windows\6573vi952z1.exe
c:\windows\65989hreatz658.ocx
c:\windows\65b6b9ckdozr2191.ocx
c:\windows\65zbsparse1490.cpl
c:\windows\690wz9m3e5.bin
c:\windows\699aadzware3585.cpl
c:\windows\6a48zparse4509.dll
c:\windows\6a7stzal959.dll
c:\windows\6c235ownlozde9113.ocx
c:\windows\6c23spyza9e1555.dll
c:\windows\6c5zsparse1292.cpl
c:\windows\6e0dspz9are5005.ocx
c:\windows\6e59szeal689.ocx
c:\windows\6e80bac9do5r235z.exe
c:\windows\6ed5thief309z.exe
c:\windows\6f3athrezt35964.bin
c:\windows\6z86v9ru526f.bin
c:\windows\7039spamb5t4z2.exe
c:\windows\70z5s5a9se2540.ocx
c:\windows\71329zd5are3230.ocx
c:\windows\7159n9tza-virus6a5.exe
c:\windows\7300bz5kdoor1939.cpl
c:\windows\7318vi9z5456.cpl
c:\windows\7390b95kdoor1z20.ocx
c:\windows\74e4sz9rs5212.bin
c:\windows\75079iruz6475.bin
c:\windows\750spar9ez553.dll
c:\windows\7599sp5warez821.cpl
c:\windows\776vir59704z.exe
c:\windows\78b05pywa9ez932.bin
c:\windows\790eba5kd9orz3.cpl
c:\windows\7973viru9535z.exe
c:\windows\7a5ezownloader949.bin
c:\windows\7efddownloader98z5.cpl
c:\windows\7f06threaz99558.dll
c:\windows\7f9ad5wnl9aderz417.cpl
c:\windows\7zdv5r997.exe
c:\windows\80735acktzol1349.cpl
c:\windows\85z9py2c3.ocx
c:\windows\874s9ar5z1787.bin
c:\windows\88not5a9vizus2b3.dll
c:\windows\893steal27z5.dll
c:\windows\8ffz5ckd9or945.ocx
c:\windows\8z94viru56f8.ocx
c:\windows\8zevir19545.bin
c:\windows\900z8w5rm7ff.dll
c:\windows\901f5ackdoorz42.exe
c:\windows\9031no5-a-vir9s6za.cpl
c:\windows\90z27vir5s542.dll
c:\windows\91942szy6b35.ocx
c:\windows\9237h9ckzoolac5.ocx
c:\windows\927345orm36dz.cpl
c:\windows\9295thzef5554.bin
c:\windows\9313spzm5ot139.bin
c:\windows\93500not-a-virusz9a.exe
c:\windows\935fspyzare19.dll
c:\windows\93fzpars524799.dll
c:\windows\94707v5rzs221.bin
c:\windows\95e9bzckdoor318.exe
c:\windows\96051spy54fz.ocx
c:\windows\968thrzat6325.cpl
c:\windows\969szeal2895.exe
c:\windows\97765ot-a-zi9us429.bin
c:\windows\9798not-a-vir5z5b6.bin
c:\windows\98385spa5boz47b.dll
c:\windows\995eback5ooz3011.exe
c:\windows\99633sp5mboz30e.dll
c:\windows\9975zir5355.cpl
c:\windows\9978zw5rm41a.cpl
c:\windows\99a5threat259z8.dll
c:\windows\99z66wo5m7cf.bin
c:\windows\99z6vir11605.bin
c:\windows\9a85vir325z5.dll
c:\windows\9abthz5at28687.dll
c:\windows\9af7s5yware1z59.bin
c:\windows\9c7zpyw9re24715.exe
c:\windows\9d3evzr1152.cpl
c:\windows\9z17tr5j744.cpl
c:\windows\9zaddwa5e1896.cpl
c:\windows\c9dd95nloaderz79.dll
c:\windows\cad59dwzre546.dll
c:\windows\d925zar9e917.bin
c:\windows\df95tealz25.cpl
c:\windows\f59zir3931.exe
c:\windows\fd9ack5oor288z.exe
c:\windows\system32\101995roj58z.exe
c:\windows\system32\10364wo5m71z9.dll
c:\windows\system32\11515notza-virus296.dll
c:\windows\system32\11551vi5usz92.dll
c:\windows\system32\119155or9z51.exe
c:\windows\system32\1191threat981z5.ocx
c:\windows\system32\12499hacktz5l96.bin
c:\windows\system32\1295v9ruszfe.bin
c:\windows\system32\12985tz5j7df.ocx
c:\windows\system32\12z93h9cktool46c5.exe
c:\windows\system32\13196ha5ktoolz84.ocx
c:\windows\system32\1350viru9z68.cpl
c:\windows\system32\142895zy189.cpl
c:\windows\system32\14915hief2z47.exe
c:\windows\system32\150vir29z5.cpl
c:\windows\system32\1517trojz89.dll
c:\windows\system32\15373notz59virus61.bin
c:\windows\system32\153b5pzwar92757.exe
c:\windows\system32\1548zspy593.ocx
c:\windows\system32\1595threa959z3.exe
c:\windows\system32\159aaddware6z2.bin
c:\windows\system32\15es9ywa5e107z.exe
c:\windows\system32\1641395t-a-virusza8.ocx
c:\windows\system32\16478hacktool9z5.exe
c:\windows\system32\1679hackt5zl3bf.bin
c:\windows\system32\1694zpar5e2872.cpl
c:\windows\system32\1731azd9a5e1991.bin
c:\windows\system32\17325nzt-a-viru92a5.dll
c:\windows\system32\17557spambzt5e9.ocx
c:\windows\system32\1764s5ywarez629.exe
c:\windows\system32\1768v5ruz95d.exe
c:\windows\system32\17945not-a-v5zus2eb.exe
c:\windows\system32\17997ziru9558.dll
c:\windows\system32\179z7tro53d.exe
c:\windows\system32\186529pazbot5e9.exe
c:\windows\system32\18876s5azbot398.ocx
c:\windows\system32\18920zr5j300.ocx
c:\windows\system32\19075h5zkto9l143.dll
c:\windows\system32\19396v9rus4z95.cpl
c:\windows\system32\194dthreat256z2.cpl
c:\windows\system32\19511viruszbf.cpl
c:\windows\system32\19604nz5-9-virus97.dll
c:\windows\system32\19657spazbot900.exe
c:\windows\system32\19759wozm5aa.dll
c:\windows\system32\19837hzckto5l61c.bin
c:\windows\system32\199075zy7b6.dll
c:\windows\system32\1995zs9yf5.cpl
c:\windows\system32\19dstza51895.bin
c:\windows\system32\19fz5teal294.ocx
c:\windows\system32\1cb4thre9t4z645.bin
c:\windows\system32\1d9ztea56819.exe
c:\windows\system32\1z005sp9510.dll
c:\windows\system32\1z191vir95391.exe
c:\windows\system32\1z425s9y442.cpl
c:\windows\system32\1z5489iru5465.dll
c:\windows\system32\1z95addware676.dll
c:\windows\system32\1zebackdo5r948.cpl
c:\windows\system32\20135sp91az.bin
c:\windows\system32\201499i5uz170.dll
c:\windows\system32\20395hief323z.exe
c:\windows\system32\20499z5rus281.bin
c:\windows\system32\204astezl2599.exe
c:\windows\system32\204z5s594cf.exe
c:\windows\system32\21365t9oj67z.exe
c:\windows\system32\2185thrza915927.bin
c:\windows\system32\218z4tro9255.exe
c:\windows\system32\21e2b9c5door247z.exe
c:\windows\system32\21z53hacktool90.bin
c:\windows\system32\22121sz5mbot76a9.cpl
c:\windows\system32\22561spy9b9z.dll
c:\windows\system32\22606not-a-virus9zf5.exe
c:\windows\system32\22625zro975c.dll
c:\windows\system32\22795szy1f9.cpl
c:\windows\system32\2314zha9kt5ol187.ocx
c:\windows\system32\23340viru5193z.ocx
c:\windows\system32\23965hacktoo9783z.dll
c:\windows\system32\23z49vir95525.dll
c:\windows\system32\24057t5o929z.exe
c:\windows\system32\2420spzm9ot352.dll
c:\windows\system32\24221za5kto9l299.bin
c:\windows\system32\24359irus1z8.ocx
c:\windows\system32\24652haczto9l6a8.exe
c:\windows\system32\24886sz9540.bin
c:\windows\system32\248z6n9t-a-virus505.ocx
c:\windows\system32\24903zr9jd5.ocx
c:\windows\system32\24908zi9u5555.bin
c:\windows\system32\249zspy1975.ocx
c:\windows\system32\251045azktool74e9.ocx
c:\windows\system32\25110s9y59bz.bin
c:\windows\system32\2521s9z5bot421.ocx
c:\windows\system32\25269hack5ool73z.cpl
c:\windows\system32\25279ir2z56.ocx
c:\windows\system32\2533tzoj7859.dll
c:\windows\system32\25516nz5-9-virus7e0.bin
c:\windows\system32\25535tzoj960.exe
c:\windows\system32\255csze5l9958.dll
c:\windows\system32\255wo9z254.dll
c:\windows\system32\25699hazkto5l723.exe
c:\windows\system32\25893zpam5ot27b.exe
c:\windows\system32\25z94spya5.bin
c:\windows\system32\264z79ro5152.bin
c:\windows\system32\2665zackdoo91309.bin
c:\windows\system32\26795v9ru53cez.cpl
c:\windows\system32\26a9bzckdoor8035.bin
c:\windows\system32\27059ha9kzool1c65.cpl
c:\windows\system32\2705zspam5ot259.cpl
c:\windows\system32\27264wo5z93b.exe
c:\windows\system32\27369not95-viruse5z.ocx
c:\windows\system32\27895spazbot797.bin
c:\windows\system32\27988v5rus649z.ocx
c:\windows\system32\282805p9mbot55az.dll

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
(cont.)

c:\windows\system32\2833trojz5e9.exe
c:\windows\system32\28659wo5m3zc.bin
c:\windows\system32\28688not-a-5izus59e9.exe
c:\windows\system32\28asp5warez09.dll
c:\windows\system32\28czb5ck9oor1862.bin
c:\windows\system32\2906downloadez5887.dll
c:\windows\system32\29074hack9ool2zc5.cpl
c:\windows\system32\2919not-a5vi9us54z.cpl
c:\windows\system32\2921spa5se20z59.cpl
c:\windows\system32\292za5dwa9e2492.exe
c:\windows\system32\2957downlozder2925.dll
c:\windows\system32\29659spambotz46.cpl
c:\windows\system32\2986znot-a-v5rus635.dll
c:\windows\system32\298dszywar523779.cpl
c:\windows\system32\299ezh5e92387.exe
c:\windows\system32\29fcspywzr52209.ocx
c:\windows\system32\29z2vi52017.exe
c:\windows\system32\29z485py4dc.cpl
c:\windows\system32\29z5vir11729.exe
c:\windows\system32\2af9s5yware2z42.ocx
c:\windows\system32\2c985ackdoorz2.bin
c:\windows\system32\2e10spy5a9e25z2.ocx
c:\windows\system32\2e70thizf459.ocx
c:\windows\system32\2e7cst5alz959.bin
c:\windows\system32\2z425h9ef3107.ocx
c:\windows\system32\2z905worm3a0.ocx
c:\windows\system32\2zf59hief1065.bin
c:\windows\system32\30bct9zeat255385.ocx
c:\windows\system32\3182z5ro973a.dll
c:\windows\system32\31969not-z-v9rus185.bin
c:\windows\system32\31z2do5nloader1519.exe
c:\windows\system32\32045not-a-virz53a59.exe
c:\windows\system32\32550w9rm7d0z.dll
c:\windows\system32\32z359or525f.dll
c:\windows\system32\3354steal895z.exe
c:\windows\system32\335ad5ware2z59.ocx
c:\windows\system32\338a5ackdzo9192.bin
c:\windows\system32\34cfthre59136z5.cpl
c:\windows\system32\3535spzmb9t1d.exe
c:\windows\system32\3585backdoor119z.ocx
c:\windows\system32\35998spyze8.dll
c:\windows\system32\362c9hreat250z4.dll
c:\windows\system32\36d9tzreat31245.dll
c:\windows\system32\390zthreat93965.dll
c:\windows\system32\3990a5dwzre3131.dll
c:\windows\system32\3993spz55d.dll
c:\windows\system32\39a59ownloaderz537.bin
c:\windows\system32\39a5vir1589z.cpl
c:\windows\system32\39ddth5ef232z.bin
c:\windows\system32\39z5sparse1671.bin
c:\windows\system32\3b5aspaz5e2494.dll
c:\windows\system32\3b85zhief9110.cpl
c:\windows\system32\3ef3dow95oadzr1203.bin
c:\windows\system32\3f205ownloadzr913.ocx
c:\windows\system32\3z2929ot-a-5irus351.exe
c:\windows\system32\3z691spy315.dll
c:\windows\system32\3z89vir97795.ocx
c:\windows\system32\3zc5v5r9537.ocx
c:\windows\system32\3ze9vi51898.dll
c:\windows\system32\4006tzoj598.exe
c:\windows\system32\4048s9yw5rez680.dll
c:\windows\system32\40559zoj1ec.bin
c:\windows\system32\4154vi9zs751.exe
c:\windows\system32\41ffs9az5e419.bin
c:\windows\system32\42515roj92z.bin
c:\windows\system32\434ado9z5oader2169.ocx
c:\windows\system32\436495arse1z82.dll
c:\windows\system32\44045hzeat9592.ocx
c:\windows\system32\4409zpy5a9.ocx
c:\windows\system32\4424sp5mb9t1cz.bin
c:\windows\system32\44f9addware52z.exe
c:\windows\system32\45375ownlo9dez1631.bin
c:\windows\system32\4579v5zus429.exe
c:\windows\system32\4755bz9kdoor803.exe
c:\windows\system32\47645z927e.exe
c:\windows\system32\47c9spyw5r913z7.ocx
c:\windows\system32\47zdt9ief1795.cpl
c:\windows\system32\4880notza5viru936d.bin
c:\windows\system32\4913sp5rsz4999.exe
c:\windows\system32\4940add5zre3182.dll
c:\windows\system32\4954vir5z26.ocx
c:\windows\system32\49a9st5al298z.cpl
c:\windows\system32\4a539pywarz2247.cpl
c:\windows\system32\4a9fztea52806.dll
c:\windows\system32\4b11thiz93517.dll
c:\windows\system32\4d6bsp5rse179z.cpl
c:\windows\system32\4z0fba5kdoor26919.dll
c:\windows\system32\4z529py5are309.exe
c:\windows\system32\4z52addwar93255.cpl
c:\windows\system32\4z5bvi9250.dll
c:\windows\system32\4z5thief25779.ocx
c:\windows\system32\4ze9spars92225.exe
c:\windows\system32\50c29ir3552z.cpl
c:\windows\system32\50c5steaz9509.dll
c:\windows\system32\51502hackt9ozae.ocx
c:\windows\system32\52131tr9jzd9.dll
c:\windows\system32\52a9ba5kzoor1166.exe
c:\windows\system32\5467spyware29z7.bin
c:\windows\system32\55119worz590.ocx
c:\windows\system32\55352not-a-virus49ez.dll
c:\windows\system32\5593hacztool4a.bin
c:\windows\system32\5598not-a-vzr5s3b5.bin
c:\windows\system32\55cdt9reat13z38.cpl
c:\windows\system32\55e8spz9s5389.ocx
c:\windows\system32\55z1spy559.dll
c:\windows\system32\5673tzreat56590.ocx
c:\windows\system32\56d3adzware953.bin
c:\windows\system32\56dathr9atz8659.bin
c:\windows\system32\56dzsp9ware3034.bin
c:\windows\system32\56fsparse30z59.exe
c:\windows\system32\5719backdooz17165.bin
c:\windows\system32\5742s9yware13z0.ocx
c:\windows\system32\5762steal164z9.dll
c:\windows\system32\57893ha9ktozl131.exe
c:\windows\system32\588919zoj533.exe
c:\windows\system32\58ccsteal39z6.bin
c:\windows\system32\5919dzw5loader1638.ocx
c:\windows\system32\5950hackt9olaz.bin
c:\windows\system32\5972s9y3ffz.exe
c:\windows\system32\5997noz-a-9irus79e.exe
c:\windows\system32\5999bazkdoo52786.ocx
c:\windows\system32\599e9zie51121.dll
c:\windows\system32\59azback5oor1750.dll
c:\windows\system32\59fthreat18z94.bin
c:\windows\system32\59z21troj3e9.cpl
c:\windows\system32\59z8virus529.exe
c:\windows\system32\5az6a5dwar92804.cpl
c:\windows\system32\5b5espyw9rez49.ocx
c:\windows\system32\5bbszywa9e2214.ocx
c:\windows\system32\5bc9steal1z57.ocx
c:\windows\system32\5c1zvi9781.bin
c:\windows\system32\5czcaddw5r92807.cpl
c:\windows\system32\5f705pywarez091.dll
c:\windows\system32\5f9bth5ef2z51.cpl
c:\windows\system32\5fba9dwarez219.ocx
c:\windows\system32\5z05thi9f145.cpl
c:\windows\system32\5z079hacktoolf0.cpl
c:\windows\system32\5z63v5r2699.cpl
c:\windows\system32\5z90troj55c.exe
c:\windows\system32\5za3vi58139.bin
c:\windows\system32\5zc9addw5re2835.exe
c:\windows\system32\6009adzwar95177.bin
c:\windows\system32\606etzief11955.dll
c:\windows\system32\6241vir1195z.dll
c:\windows\system32\62z0v9r2655.exe
c:\windows\system32\649dvir2592z.exe
c:\windows\system32\658bbackzoor1269.ocx
c:\windows\system32\65ddspyw9rz8125.cpl
c:\windows\system32\6845tz5j5629.exe
c:\windows\system32\684dste953250z.ocx
c:\windows\system32\6858not-a-9zrus15e.exe
c:\windows\system32\68cfthzef2596.exe
c:\windows\system32\69c5threat21770z.dll
c:\windows\system32\6a10sp5rse1519z.ocx
c:\windows\system32\6az8th9eat2557.dll
c:\windows\system32\6b9addware5z3.cpl
c:\windows\system32\6bfe5tez93167.dll
c:\windows\system32\6c99sparse115z.bin
c:\windows\system32\6d3csp9r5ez7.dll
c:\windows\system32\6d56threatz509.cpl
c:\windows\system32\6ezste5l2459.cpl
c:\windows\system32\6f7c9hrezt30557.cpl
c:\windows\system32\6z059py25a.cpl
c:\windows\system32\6z0ddownload9r6395.exe
c:\windows\system32\729c5parze3006.bin
c:\windows\system32\7342spars518z9.dll
c:\windows\system32\7434not-9-virus65z.ocx
c:\windows\system32\7446zownloa9er30565.bin
c:\windows\system32\7451w9rm7zf.cpl
c:\windows\system32\7458h9cktoolzab.cpl
c:\windows\system32\7525vir900z.ocx
c:\windows\system32\7543t9zef1548.bin
c:\windows\system32\75479d5waze1215.exe
c:\windows\system32\7553spy5a9e2503z.bin
c:\windows\system32\759dstezl1745.cpl
c:\windows\system32\75z4spar5e5319.cpl
c:\windows\system32\763z95j449.dll
c:\windows\system32\771ezack9oor6075.bin
c:\windows\system32\7790zp5ware531.cpl
c:\windows\system32\77a1thie59z9.bin
c:\windows\system32\78dzh9eat10956.ocx
c:\windows\system32\78z5downlo9der894.ocx
c:\windows\system32\7b61sz9a5101.bin
c:\windows\system32\7b6zsp9rse1552.cpl
c:\windows\system32\7c35dowzl9ader1542.exe
c:\windows\system32\7c6c5p9waze2135.cpl
c:\windows\system32\7d96t95eat9z59.cpl
c:\windows\system32\7ezathi9f158.dll
c:\windows\system32\7f5at5reatz09319.bin
c:\windows\system32\7ff19ir2215z.ocx
c:\windows\system32\7z0not-a-vi5us7699.dll
c:\windows\system32\8119s5y1za.exe
c:\windows\system32\82z0troj591.cpl
c:\windows\system32\8539s9z234.exe
c:\windows\system32\8565zr5j698.ocx
c:\windows\system32\85995py4z79.cpl
c:\windows\system32\8b4stza919035.bin
c:\windows\system32\907z5spy27b.exe
c:\windows\system32\90999spy6zb5.exe
c:\windows\system32\909t95ef29z5.cpl
c:\windows\system32\9135zir1567.bin
c:\windows\system32\91a5downl5ader2569z.exe
c:\windows\system32\92055spambot4zd.exe
c:\windows\system32\9225vi9us5dz.cpl
c:\windows\system32\92297troj6z5.dll
c:\windows\system32\9261zpambot975.cpl
c:\windows\system32\928605ozm2c3.bin
c:\windows\system32\9346v5rz374.ocx
c:\windows\system32\93fzthreat8585.cpl
c:\windows\system32\94e7thiefz54.exe
c:\windows\system32\9529nzt-a-v95usc5.bin
c:\windows\system32\95365spamboz25b.exe
c:\windows\system32\9549downlzader2128.dll
c:\windows\system32\9585not-a-zirus30f.dll
c:\windows\system32\95edadd5are254z.exe
c:\windows\system32\9628v9rzs251.cpl
c:\windows\system32\96963spambot3z85.exe
c:\windows\system32\9766spamb5tz6c.cpl
c:\windows\system32\97959szy46a.bin
c:\windows\system32\97f1addz5re2172.exe
c:\windows\system32\98zbsteal59.bin
c:\windows\system32\9906zpa9bot56.bin
c:\windows\system32\99155irusza9.bin
c:\windows\system32\9925ormz09.dll
c:\windows\system32\9956thi5f3z36.ocx
c:\windows\system32\99919rzj254.dll
c:\windows\system32\9a7czhreat28592.cpl
c:\windows\system32\9c55downloader1z34.ocx
c:\windows\system32\9cd7virz1225.exe
c:\windows\system32\9e51vzr1566.ocx
c:\windows\system32\9z6dsp5ware868.exe
c:\windows\system32\abba95doorz599.ocx
c:\windows\system32\b9p5rze2959.dll
c:\windows\system32\bbzdow5loader928.cpl
c:\windows\system32\c35s5eaz2796.cpl
c:\windows\system32\c65s9ealz047.bin
c:\windows\system32\d22zteal95.exe
c:\windows\system32\drivers\gxvxclvhxiqptsnboduiuruwbpfnbqjixwaky.sys
c:\windows\system32\drivers\gxvxcuigiltowyllrmmepxdntivhckbmurqxe.sys
c:\windows\system32\f3ethief589z.dll
c:\windows\system32\ff9thiez39915.dll
c:\windows\system32\fz9spy5are1589.cpl
c:\windows\system32\gxvxcgeupgqcbpjxqvqsciqhqqqijxmufnkih.dll
c:\windows\system32\gxvxcwflnrirstogdrjogwqpodpgphlthegxj.dll
c:\windows\system32\z0f25ownloader589.dll
c:\windows\system32\z16859i5us365.dll
c:\windows\system32\z17ct9ief1285.dll
c:\windows\system32\z1959pars5415.ocx
c:\windows\system32\z1a5thief1897.ocx
c:\windows\system32\z1cv9r2516.bin
c:\windows\system32\z201wor54399.exe
c:\windows\system32\z228thief25759.cpl
c:\windows\system32\z3229virus2aa5.ocx
c:\windows\system32\z3644v5ru9191.cpl
c:\windows\system32\z4edspa95e2076.bin
c:\windows\system32\z52cdown5oader2989.dll
c:\windows\system32\z5859vi9us411.cpl
c:\windows\system32\z5f4stea5951.exe
c:\windows\system32\z622vi9us5ab.ocx
c:\windows\system32\z63vir2759.cpl
c:\windows\system32\z79bthief2295.exe
c:\windows\system32\z83349ot-5-virus299.cpl
c:\windows\system32\z854v9rus6cb5.dll
c:\windows\system32\z951sparse12025.exe
c:\windows\system32\z9544spy559.exe
c:\windows\system32\z9816spy153.ocx
c:\windows\system32\za40dow9loa5er1994.dll
c:\windows\system32\za7459yware1182.ocx
c:\windows\system32\zb955teal92.ocx
c:\windows\system32\zb9athre5t20055.dll

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
(cont.)

c:\windows\system32\zbf39hief1513.ocx
c:\windows\system32\zec0spywar91555.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z0547ha5ktool4c89.dll
c:\windows\z05609py165.bin
c:\windows\z0853spy9c1.ocx
c:\windows\z0922w5rm20c.cpl
c:\windows\z107spyware53079.dll
c:\windows\z19downloader555.bin
c:\windows\z2923not5a-virus789.ocx
c:\windows\z2989tea51672.bin
c:\windows\z2vir25559.ocx
c:\windows\z3090virus75b.ocx
c:\windows\z3155t9oj551.dll
c:\windows\z3629hacktool495.cpl
c:\windows\z4d89pywa5e1838.exe
c:\windows\z55499py554.exe
c:\windows\z55v59780.exe
c:\windows\z578spar9e3121.dll
c:\windows\z7298spy27f5.bin
c:\windows\z7739worm593.cpl
c:\windows\z79sparse3195.bin
c:\windows\z81cb9ckd5or1435.dll
c:\windows\z8263no9-a-virus25.ocx
c:\windows\z879spyware557.dll
c:\windows\z939teal4785.cpl
c:\windows\z93v5r9329.exe
c:\windows\z9953spy4c4.exe
c:\windows\za349ir5330.dll
c:\windows\zd55thie9495.exe
N:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 03:10 . 2009-06-05 03:10 3129961 ----a-w- C:\Combo-Fix.exe
2009-06-05 03:07 . 2009-06-05 03:49 -------- d-----w- C:\backups
2009-06-03 03:11 . 2009-06-03 03:11 361472 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-06-03 03:11 . 2009-06-03 03:11 -------- d-----w- c:\program files\WinBlueSoft Software
2009-05-30 20:04 . 2009-03-27 08:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-05-30 20:04 . 2009-05-30 20:04 -------- d-----w- c:\program files\CPUID
2009-05-24 17:39 . 2009-05-31 04:53 -------- d-----w- C:\Film
2009-05-23 01:26 . 2009-05-23 01:47 -------- d-----w- C:\New Folder
2009-05-10 03:33 . 2009-03-19 00:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:14 . 2008-10-09 02:04 -------- d-----w- c:\program files\ReGetPro
2009-05-30 18:53 . 2008-08-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-30 18:49 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-05-30 18:42 . 2008-06-29 18:12 55264 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 18:39 . 2008-08-14 05:12 -------- d-----w- c:\documents and settings\Dave\Application Data\Download Manager
2009-05-30 18:29 . 2008-06-29 21:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-26 19:50 . 2009-02-19 03:08 -------- d-----w- c:\program files\mkv2vob
2009-05-22 07:13 . 2008-07-01 22:21 -------- d-----w- c:\documents and settings\Dave\Application Data\dvdcss
2009-05-12 14:24 . 2009-01-28 02:07 -------- d-----w- c:\program files\SSC Service Utility
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\program files\Yahoo!
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 01:51 . 2009-03-06 01:46 -------- d-----w- c:\documents and settings\Dave\Application Data\Canon
2009-04-10 00:53 . 2009-04-10 00:52 -------- d-----w- c:\program files\Yamb
2009-04-09 04:32 . 2009-04-09 04:32 -------- d-----w- c:\documents and settings\Dave\Application Data\ZoomBrowser EX
2009-04-09 04:24 . 2009-03-06 01:23 -------- d-----w- c:\program files\Canon
2009-04-09 04:23 . 2009-04-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-07 03:35 . 2009-03-31 21:14 -------- d-----w- c:\documents and settings\Dave\Application Data\Ahead
2003-03-24 15:18 . 2003-03-24 15:18 10050 ----a-w- c:\program files\weeklyscan.reg
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-12 374272]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2006-05-30 937984]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-01-15 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-02-14 24576]
"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-10 16851968]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-4 208896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"n:\\java\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 SAVRoam;SAVRoam;c:\progra~1\SYMANT~1\SYMANT~1\savroam.exe [1/14/2003 6:07 PM 139264]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [10/4/2008 9:36 AM 93696]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [5/30/2009 1:04 PM 12672]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [1/4/2007 7:34 PM 75008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Do&wnload by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - hxxp://www.zenfolio.com/zf/code/upload-ie-win-x86.cab
FF - ProfilePath -
.

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
(cont.)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,06,bc,32,03,
6d,7f,f2,e2,63,26,f1,3f,c8,ff,68,47,00,52,26,13,05,1c,0b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,df,2f,a5,94,60,
5e,3a,23,6a,9c,d6,61,af,45,84,18,d5,11,47,79,33,1c,6e,a5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a6,40,52,67,6d,
80,e7,d3,ff,7c,85,e0,43,d4,0e,fe,f8,30,7c,1b,52,6d,14,e0,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,0d,a6,9e,2d,2a,
ce,fc,b8,86,8c,21,01,be,91,eb,e7,31,a8,21,68,64,43,07,04,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,a1,82,99,56,e0,
1d,36,28,f5,1d,4d,73,a8,13,5c,05,2a,93,c5,92,08,02,06,4f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f2,b0,58,cb,0a,
68,ea,fe,df,20,58,62,78,6b,cf,c8,e8,be,36,1f,f9,00,e7,89,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,80,24,f6,0b,d5,
78,71,cc,fb,a7,78,e6,12,2f,9a,ea,f3,03,30,50,ad,22,12,1d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ba,e3,96,ae,0c,
74,09,46,01,3a,48,fc,e8,04,4a,f1,e9,94,ba,3a,a1,de,29,82,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,39,0b,86,57,d6,
1b,44,ba,f6,0f,4e,58,98,5b,89,c9,48,8e,1f,46,00,d5,3f,98,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e2,9c,a5,49,fd,
88,69,da,3d,ce,ea,26,2d,45,aa,78,c6,ca,3c,c5,4b,34,47,9e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,cc,ba,7b,a3,e2,
a4,e5,e2,2a,b7,cc,b5,b9,7f,41,e7,1a,16,7f,3d,94,f9,81,bd,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,79,7b,a7,35,
70,f0,9a,6c,43,2d,1e,aa,22,2f,9c,fc,4f,c6,4f,9a,75,ed,a4,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(832)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-06-05 21:31
ComboFix-quarantined-files.txt 2009-06-05 04:31

Pre-Run: 85,268,295,680 bytes free
Post-Run: 89,796,567,040 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
944 --- E O F --- 2009-05-14 10:02

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\tempo-setup2.exe

Folder::
c:\program files\WinBlueSoft Software

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

Driver::
cpuz132



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
WinBlueSoft Victim Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
ComboFix still shows up on my desktop as Combo-Fix. When I drag and drop as directed above I get an error message that says cannot rename ComboFix to Combo-Fix, please choose another name with alphanumeric characters. I am not trying to rename only drag and drop as indicated

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
Re-download Combofix, but don't rename it this time.

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
ComboFix 09-06-04.04 - Dave 06/04/2009 18:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2654 [GMT -7:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\program files\WinBlueSoft Software"
"c:\windows\system32\drivers\cpuz132_x32.sys"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cpuz132_x32.sys
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPUZ132
-------\Service_cpuz132


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 04:00 . 2009-06-05 04:31 -------- d-s---w- C:\Combo-Fix
2009-06-05 03:07 . 2009-06-05 03:49 -------- d-----w- C:\backups
2009-06-03 03:11 . 2009-06-03 03:11 -------- d-----w- c:\program files\WinBlueSoft Software
2009-05-30 20:04 . 2009-05-30 20:04 -------- d-----w- c:\program files\CPUID
2009-05-24 17:39 . 2009-05-31 04:53 -------- d-----w- C:\Film
2009-05-23 01:26 . 2009-05-23 01:47 -------- d-----w- C:\New Folder
2009-05-10 03:33 . 2009-03-19 00:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:14 . 2008-10-09 02:04 -------- d-----w- c:\program files\ReGetPro
2009-05-30 18:53 . 2008-08-14 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-30 18:49 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-05-30 18:42 . 2008-06-29 18:12 55264 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 18:39 . 2008-08-14 05:12 -------- d-----w- c:\documents and settings\Dave\Application Data\Download Manager
2009-05-30 18:29 . 2008-06-29 21:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-26 19:50 . 2009-02-19 03:08 -------- d-----w- c:\program files\mkv2vob
2009-05-22 07:13 . 2008-07-01 22:21 -------- d-----w- c:\documents and settings\Dave\Application Data\dvdcss
2009-05-12 14:24 . 2009-01-28 02:07 -------- d-----w- c:\program files\SSC Service Utility
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\program files\Yahoo!
2009-05-10 03:33 . 2009-03-07 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 01:51 . 2009-03-06 01:46 -------- d-----w- c:\documents and settings\Dave\Application Data\Canon
2009-04-10 00:53 . 2009-04-10 00:52 -------- d-----w- c:\program files\Yamb
2009-04-09 04:32 . 2009-04-09 04:32 -------- d-----w- c:\documents and settings\Dave\Application Data\ZoomBrowser EX
2009-04-09 04:24 . 2009-03-06 01:23 -------- d-----w- c:\program files\Canon
2009-04-09 04:23 . 2009-04-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-07 03:35 . 2009-03-31 21:14 -------- d-----w- c:\documents and settings\Dave\Application Data\Ahead
2003-03-24 15:18 . 2003-03-24 15:18 10050 ----a-w- c:\program files\weeklyscan.reg
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-05_04.27.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-05 01:23 . 2009-06-05 01:23 16384 c:\windows\Temp\Perflib_Perfdata_134.dat
+ 2006-02-28 12:00 . 2007-01-01 07:08 86686 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2006-02-28 12:00 . 2007-01-01 07:08 483744 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-12 374272]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2006-05-30 937984]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-01-15 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2006-02-14 24576]
"WinDVR SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-16 106496]
"WinRemote"="c:\program files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-16 208896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-10 16851968]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-4 208896]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla server.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"n:\\java\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 SAVRoam;SAVRoam;c:\progra~1\SYMANT~1\SYMANT~1\savroam.exe [1/14/2003 6:07 PM 139264]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [10/4/2008 9:36 AM 93696]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [1/4/2007 7:34 PM 75008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Do&wnload by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - hxxp://www.zenfolio.com/zf/code/upload-ie-win-x86.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 18:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
(cont)

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ad,06,bc,32,03,
6d,7f,f2,e2,63,26,f1,3f,c8,ff,68,47,00,52,26,13,05,1c,0b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,df,2f,a5,94,60,
5e,3a,23,6a,9c,d6,61,af,45,84,18,d5,11,47,79,33,1c,6e,a5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a6,40,52,67,6d,
80,e7,d3,ff,7c,85,e0,43,d4,0e,fe,f8,30,7c,1b,52,6d,14,e0,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,0d,a6,9e,2d,2a,
ce,fc,b8,86,8c,21,01,be,91,eb,e7,31,a8,21,68,64,43,07,04,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,a1,82,99,56,e0,
1d,36,28,f5,1d,4d,73,a8,13,5c,05,2a,93,c5,92,08,02,06,4f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f2,b0,58,cb,0a,
68,ea,fe,df,20,58,62,78,6b,cf,c8,e8,be,36,1f,f9,00,e7,89,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,80,24,f6,0b,d5,
78,71,cc,fb,a7,78,e6,12,2f,9a,ea,f3,03,30,50,ad,22,12,1d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ba,e3,96,ae,0c,
74,09,46,01,3a,48,fc,e8,04,4a,f1,e9,94,ba,3a,a1,de,29,82,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,39,0b,86,57,d6,
1b,44,ba,f6,0f,4e,58,98,5b,89,c9,48,8e,1f,46,00,d5,3f,98,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e2,9c,a5,49,fd,
88,69,da,3d,ce,ea,26,2d,45,aa,78,c6,ca,3c,c5,4b,34,47,9e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,cc,ba,7b,a3,e2,
a4,e5,e2,2a,b7,cc,b5,b9,7f,41,e7,1a,16,7f,3d,94,f9,81,bd,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,79,7b,a7,35,
70,f0,9a,6c,43,2d,1e,aa,22,2f,9c,fc,4f,c6,4f,9a,75,ed,a4,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3284)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-06-05 18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 01:32
ComboFix2.txt 2009-06-05 04:31

Pre-Run: 89,733,267,456 bytes free
Post-Run: 89,602,854,912 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
270 --- E O F --- 2009-05-14 10:02

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
Hello.
Please delete this folder in bold:
c:\program files\WinBlueSoft Software

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

WinBlueSoft Victim CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
completely cured -- where do I send the $64,000,000 Smile...

descriptionWinBlueSoft Victim EmptyRe: WinBlueSoft Victim

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum