Winbluesoft is crazy

HI all,
As I can see lot of posts in the forum for Winbluesoft Virus/Malware. Unfotunately my PC is also infectd by it. It is crazy Virus which does not allow any application to work even in Safe Mode. I have tried installing all major Malware removal softwares like
Malwarebytes, SmitFraudfix, Avenger, HiJackthis, Combo-fix but nothing works.

I am able to copy them on the Desktop but I am not able to install any of them. The Virus does not allow to do anything. And the funniest part is it does not gives much time to work as well, once you are logged in Normal or Safe Mode after some time the mouse pointer automatically starts running towards Windows Start button and Log's off the User and if you try again and again to Log in it simply terminates the Window application.

It is the most crazy Virus I have ever seen, Please somebody help!!
What Software to install?? What to do??

Rohit

Hello.
Can you try renaming the Hijack This installer?

Hi Belahzur, Thanks for replying....
As suggested by you, I tried renaming th Hijackthis to HJT and then copied it the root directoty c:\ .....but as was expected it did not work, I did it ll while in Safe Mode of Windows.
Acualy, Winbluesoft Virus is not allowing any application to work in Windows. I am able to open only My computer and Control Panel Utilities...
I tried opening REGEDIT also to emove the Winbluesoft entries manually but then it also does not opens.

I am clueless what to do....?? Please help.

Hello.
Were gonna try this manually.

Delete these three files in bold:
C:\Windows\system32\setup2.exe
C:\Windows\ieocx.dll
C:\Documents and settings\USERNAME\winav.exe <== might be called sysav.exe too

I started my PC is Safe Mode and wa able to delete Setup2.exe file from Windows/System 32 folder but I did not find the other two files.

After this I restarted my PC in Normal mode and found that no more Warnings messages are popping up but still i was not abe to run any of the Malware removal exe files.

Not I am a bit hopeful..... Please Help!!

Hello.
Boot back into safe mode, and try running Hijack This in safe mode.

I tried running HijackThis in Safe Mode but nothing happens. Even I tried all the Malware removal softwares listed in all other posts as well..... GMER, Smitfraudfix, Combofix...etc. but nothing works...
DDS.scr is not recognized in my machine and double clicking on it open the dialog box for 'Open With'
I think we have only removed the exe file for Warnings and remaining all things are still existing....WinBluesoft is terminating all the applications...even any simple Windows application also does not work.

Please suggest what to do!! I think we need to remove some more files manually or any other way as per your experience.....

Lets try this.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Del.Settings
  
  [Del.Settings]
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup2.exe
  HKLM,software\microsoft\windows\currentVersion\Run,WinBlueSoft,0x00000000
  HKU,DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
  HKLM.software\microsoft\windows nt\currentversion\windows,AppInit_DLLs,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

As suggested I created the .inf file and Instaled in my PC in Safe Mode. It seems that it got Installed but no difference as such in the behaviour of the PC. After Installing it I again Rebooted the system and again tried to Run Hijackthis and other similar softwares but again nothing worked......
No clues what to do next...Please help!!

Hello.
Please download MGTools from here:
http://forums.majorgeeks.com/showthread.php?t=137630

See if that will run on your system while infected.

No it does not work.....same old story. Downloaded MG Tools saved it on C: Drive in Safe Mode..but nothing happens when tried to run it.....

Please help!!

Lets try this.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

I have already tried it many times in Safe Mode...but it does not work.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, just let it cure whatever it finds...
  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings
  
• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
  
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

Hi I used the following code in Fixreg.inf and now I am able to run .exe files

[Version]
Signature=$CHICAGO$

[DefaultInstall]
AddReg=Del.Settings

[Del.Settings]
HKLM,software\microsoft\windows nt\currentversion\windows,AppInit_DLLs,0x00000000

But the problem is the Winbluesoft virus does not gives enough time to do anything. It Logs off the user within few minutes and everything stops. The Web Cureit anti virus was running but due to log off everything got spoiled. I think we need to cure this automatic log off thing first before moving ahead...

Please help....Now I am more hopeful of getting my PC back in normal condition.

Hello.
Good work, does it still log you off in safe mode?

After running Malwarebytes and removing those three infected files, the PC has started behaving normally. After all this I agian restarted the PC in Normal Mode and agin started Malware bytes, Updated it by connectin to internet and then did the full scan and it again reported five infected files which also I deleted. I also cleaned up the temporary files and did a Registry Clean using "CCleaner". Now the PC is working perfectly OK.

Is there any other thing which needs to be done or I am done with my Virus Removal.

Thanks a Lot!!

Actually .scr file is not identified by my system and if I click it to run it opens the "Open With" Dialog box. Can you suggest how can i run it in My PC.
I have installed a software DWG True View for viewing Autocad files and .scr files are recognized to be associated with it.

Please help!!

Okay, try running the pif files.
Or rename it to .exe if you want to run it as an exe.