WiredWX Hobby Weather ToolsLog in

 


i have winbluesoft on my pc.......

3 posters

descriptioni have winbluesoft on my pc....... Emptyi have winbluesoft on my pc.......

more_horiz
I have hijack this install and my PC ingores it.
I'm running Windows XP with Service Pack 3
I was able to temporarly disable setup2.exe, I would like assistance with fixing my machine. Please help!!!!!!
I looked for the Blocker.dll and it's not present on my machine
I have malware ready to go when I fix the problem.

I was able to DL Silent Runners and i have the report:
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"setup2.exe" = "C:\WINDOWS\system32\setup2.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]
"FastUser" = "C:\WINDOWS\system32\fast.exe" [MS]
"vptray" = "C:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"WinBlueSoft" = "C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min" [file not found]
"Ad-Watch" = "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" ["Lavasoft"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Malwarebytes' Anti-Malware" = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {HKLM...CLSID} = "Desktop Manager"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {HKLM...CLSID} = "CD Burn Slideshow Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS]
"{72923739-5A47-40A3-9895-25AF0DFBB9E4}" = "Glary Utilities Context Menu Shell Extension"
-> {HKLM...CLSID} = "Glary Utilities Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\GLARYU~1\CONTEX~1.DLL" ["GlarySoft.com"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<> ("digeste.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Glary Utilities\(Default) = "{72923739-5A47-40A3-9895-25AF0DFBB9E4}"
-> {HKLM...CLSID} = "Glary Utilities Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\GLARYU~1\CONTEX~1.DLL" ["GlarySoft.com"]
LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [null data]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Glary Utilities\(Default) = "{72923739-5A47-40A3-9895-25AF0DFBB9E4}"
-> {HKLM...CLSID} = "Glary Utilities Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\GLARYU~1\CONTEX~1.DLL" ["GlarySoft.com"]
LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}"
-> {HKLM...CLSID} = "Lavasoft Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [null data]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove links and access to Windows Update}

"NoInstrumentation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoInstrumentation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

"DisableWindowsUpdateAccess" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Update|
Remove access to use all Windows Update features}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\MSVDM-Desktop0.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Michael Francis\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_AudioToNeroDigital"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_RipCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L" ["Ahead Software AG"]

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Michael Francis" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\Michael Francis\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware Update (Weekly)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent" ["Lavasoft"]
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"GlaryInitialize" -> launches: "C:\Program Files\Glary Utilities\initialize.exe" ["GlarySoft.com"]
"{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}" -> launches: "C:\WINDOWS\TEMP\tempo-21391109.tmp" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
DefWatch, DefWatch, ""C:\Program Files\NavNT\defwatch.exe"" ["Symantec Corporation"]
InteractiveLogon, InteractiveLogon, "C:\WINDOWS\system32\Fast.exe -service" [MS]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Lavasoft Ad-Aware Service, Lavasoft Ad-Aware Service, ""C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"" ["Lavasoft"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, ""C:\Program Files\NavNT\rtvscan.exe"" ["Symantec Corporation"]


---------- (launch time: 2009-06-22 18:30:47)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 39 seconds.
---------- (total run time: 113 seconds)

I'm unsure how to create a fix registry File.
Bring it on

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
PLEASE HELP!!!!!

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
Please navigate to this file and delete it: C:\windows\system32\blocker.dll

See if you can run HijackThis now.

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
i don't have the blocker.dll on my pc. for some reason I'm not able to run Hijack this. Would you suggest any other options?

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
See if you can run this.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael Francis at 18:52:07.37 on Tue 06/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.524 [GMT -5:00]

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\setup2.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael Francis\My Documents\My Pictures\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [setup2.exe] c:\windows\system32\setup2.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
StartupFolder: c:\docume~1\michae~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\michae~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 85.255.112.194,85.255.112.125
TCP: {30135F0A-AB3F-4664-8C6D-9A53D0282FCF} = 85.255.112.194,85.255.112.125
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\ejisdlzw.default\
FF - component: c:\documents and settings\michael francis\application data\mozilla\firefox\profiles\ejisdlzw.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-22 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-22 46864]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-6-22 159896]
R1 pctmp;PC Tools Firewall Memory Protection Driver;c:\windows\system32\drivers\pctmp.sys [2009-6-22 40856]
R1 pctssipc;PC Tools Security Suite IPC Driver;c:\windows\system32\drivers\pctssipc.sys [2009-6-22 18328]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2002-3-28 18000]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2002-3-29 471040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-6-22 92056]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2002-3-28 185984]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090610.002\NAVENG.sys [2009-6-12 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090610.002\NAVEX15.sys [2009-6-12 876144]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-22 33552]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-4-12 20160]
S3 SeratoUsb;SeratoUsb driver;c:\windows\system32\drivers\SeratoUsb.sys [2006-3-16 35712]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-06-23 13:39 3,295 a------- c:\windows\system32\9z050s5y62.dll
2009-06-22 23:57 --d----- c:\program files\Trend Micro
2009-06-22 23:23 --d----- c:\docume~1\michae~1\applic~1\PCToolsFirewallPlus
2009-06-22 23:20 159,896 a------- c:\windows\system32\drivers\pctfw2.sys
2009-06-22 23:19 93,440 a------- c:\windows\system32\drivers\pctfw.sys
2009-06-22 23:19 40,856 a------- c:\windows\system32\drivers\pctmp.sys
2009-06-22 23:19 18,328 a------- c:\windows\system32\drivers\pctssipc.sys
2009-06-22 23:19 --d----- c:\program files\common files\PC Tools
2009-06-22 23:19 --d----- c:\program files\PC Tools Firewall Plus
2009-06-22 23:19 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-22 23:19 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-22 23:19 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-22 23:19 --d----- c:\program files\ThreatFire
2009-06-22 23:19 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-22 23:10 --d----- c:\docume~1\michae~1\applic~1\IObit
2009-06-22 23:10 --d----- c:\program files\IObit
2009-06-22 23:09 --d----- c:\program files\Lavasoft
2009-06-22 19:10 5,868 a------- c:\windows\5553downloadz9962.bin
2009-06-22 18:43 17,106 a------- c:\windows\5z49s5arse1201.bin
2009-06-22 18:34 --d----- C:\!KillBox
2009-06-22 18:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 18:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 18:24 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-22 18:24 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 16:49 3,663 a------- c:\windows\43z8vir2591.bin
2009-06-22 10:05 12,694 a------- c:\windows\d2c9a5kdozr2019.bin
2009-06-21 15:43 15,684 a------- c:\windows\255z6wo5970.dll
2009-06-21 04:04 10,663 a------- c:\windows\system32\2e5cthzef1195.cpl
2009-06-20 00:36 9,987 a------- c:\windows\system32\20395vi5us791z.bin
2009-06-19 05:38 16,566 a------- c:\windows\z7804v5r9s5eb.exe
2009-06-18 23:02 16,875 a------- c:\windows\17535s9yz5f.cpl
2009-06-18 18:19 --d----- c:\program files\Microsoft AntiSpyware
2009-06-18 18:19 --d----- c:\program files\SpywareBlaster
2009-06-18 18:17 --d----- c:\program files\Spybot - Search & Destroy
2009-06-18 18:17 --d----- c:\program files\SpywareGuard
2009-06-17 22:09 --dsh--- c:\documents and settings\michael francis\IECompatCache
2009-06-17 22:08 --dsh--- c:\documents and settings\michael francis\PrivacIE
2009-06-17 22:06 44,944 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-06-17 22:06 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-06-17 22:06 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-06-17 22:06 129,520 -------- c:\windows\system32\pxafs.dll
2009-06-17 16:37 12,280 a------- c:\windows\system32\7fz8thie52966.exe
2009-06-16 22:41 --dsh--- c:\documents and settings\michael francis\IETldCache
2009-06-16 22:39 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 22:39 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-16 22:39 --d----- c:\windows\ie8updates
2009-06-16 22:38 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-16 22:36 -cd-h--- c:\windows\ie8
2009-06-16 18:50 13,755 a------- c:\windows\19629pyware7z05.exe
2009-06-16 09:35 14,288 a------- c:\windows\6zbc9ac5door2966.cpl
2009-06-14 09:15 7,309 a------- c:\windows\z699spy515.dll
2009-06-09 23:24 8,540 a------- c:\windows\system32\2975dow9loadez5998.cpl
2009-06-09 01:30 4,474 a------- c:\windows\system32\504csteal9z83.ocx
2009-06-07 23:58 647,872 a------- c:\windows\system32\mscomct2.ocx
2009-06-07 23:58 140,488 a------- c:\windows\system32\comdlg32.ocx
2009-06-07 23:58 61,440 a------- c:\windows\system32\digitbox.ocx
2009-06-07 23:58 --d----- c:\program files\Alarm
2009-06-07 19:29 --d----- c:\windows\system32\appmgmt
2009-06-07 16:17 4,946 a------- c:\windows\591hazkt5ol72c.ocx
2009-06-06 19:09 3,580 a------- c:\windows\198z9ot-a-v5rus2e4.exe
2009-06-06 17:34 10,316 a------- c:\windows\system32\773zs9ar5e17.cpl
2009-06-06 03:41 6,152 a------- c:\windows\c99bac9do5z579.exe
2009-06-05 19:59 7,589 a------- c:\windows\996zworm1c5.ocx
2009-06-05 17:04 9,273 a------- c:\windows\system32\5ac9spazs9359.bin
2009-06-05 08:13 17,288 a------- c:\windows\system32\25105woz95a.dll
2009-06-03 07:11 7,232 a------- c:\windows\435dvir2349z.dll
2009-06-01 16:53 4,705 a------- c:\windows\5a75addz9re2839.ocx
2009-06-01 11:35 18,173 a------- c:\windows\52z5thie518519.ocx
2009-05-31 22:02 8,935 a------- c:\windows\30597spambot1e4z.ocx

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
==================== Find3M ====================

2009-06-18 19:12 170,894 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-05-24 13:27 15,823 a------- c:\windows\4210v9r5s4fz.exe
2009-05-22 16:26 12,037 a------- c:\windows\15993not-a9zirus33a.bin
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 02:13 15,652 a------- c:\windows\system32\582znot-a-virus297.dll
2009-05-19 11:03 18,033 a------- c:\windows\system32\4z89backdoor5903.bin
2009-05-18 21:58 14,289 a------- c:\windows\59c5zir1954.dll
2009-05-18 03:24 6,386 a------- c:\windows\62fcspz95e2197.dll
2009-05-16 17:50 16,361 a------- c:\windows\50z9pambot6ea.bin
2009-05-16 02:56 13,874 a------- c:\windows\65efthreat9177z.bin
2009-05-15 23:22 7,999 a------- c:\windows\system32\569159reat13z50.dll
2009-05-14 07:39 13,677 a------- c:\windows\system32\3518spaz9e216.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 19:30 8,238 a------- c:\windows\system32\9z130w5rmac.exe
2009-05-12 13:08 3,378 a------- c:\windows\system32\9551steal2887z.exe
2009-05-12 11:42 6,120 a------- c:\windows\60b8v59265z.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 22:49 6,041 a------- c:\windows\z3507hack9oo5545.exe
2009-05-05 00:43 3,243 a------- c:\windows\system32\115eb9ckdoorz24.dll
2009-05-04 01:18 10,846 a------- c:\windows\system32\18099tro925z.dll
2009-05-02 10:16 3,184 a------- c:\windows\47ez9teal2953.exe
2009-05-02 00:26 11,497 a------- c:\windows\16486zpy596.bin
2009-04-28 07:00 2,963 a------- c:\windows\system32\5zbfdownloade93197.dll
2009-04-25 18:59 16,203 a------- c:\windows\system32\9z510spy5be.exe
2009-04-24 17:23 5,310 a------- c:\windows\system32\1449hackz9o5365.exe
2009-04-24 04:25 15,482 a------- c:\windows\z159download9r2220.dll
2009-04-24 01:36 3,762 a------- c:\windows\7ecfth5ezt8294.bin
2009-04-20 06:29 14,064 a------- c:\windows\system32\752spy9zre2575.exe
2009-04-20 04:04 15,716 a------- c:\windows\system32\9d45zparse555.bin
2009-04-18 02:40 13,174 a------- c:\windows\system32\51768zirus490.exe
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 03:34 18,375 a------- c:\windows\system32\62b2tzre9t29546.bin
2009-04-16 21:09 2,668 a------- c:\windows\2003za5ktoo920b.dll
2009-04-15 15:25 2,925 a------- c:\windows\710bba5kzo9r198.dll
2009-04-15 12:45 8,903 a------- c:\windows\42zb95dware906.bin
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 02:10 7,793 a------- c:\windows\20c9thie52566z.dll
2009-04-14 15:48 5,865 a------- c:\windows\system32\97556wzr54cc.dll
2009-04-01 10:02 6,306 a------- c:\windows\system32\8363worz695.exe
2009-03-28 05:09 7,186 a------- c:\windows\924ztro5299.exe
2008-08-20 06:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 18:52:31.50 ===============

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
ok here what i have

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
See if MBAM will run please.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
my pc will not let me dl malware anti spyware. I did happen to get a copy from a friend but after i go through the install process I will not load. any ideas?

descriptioni have winbluesoft on my pc....... EmptyRe: i have winbluesoft on my pc.......

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum