Spyware Alert - WinBlueSoft

Hey guys,

I am posting this message from another computer as I cannot do anything on mine. This WinBlueSoft virus has got into my PC! The "Spyware Alert" message is always visible in the bottom right corner of the screen and I always get messages that appear trying to persuade my to register with them! I have tried using Malwarebytes to remove it but it won't open! I transferred the installation file via USB to install it on the system. After installing with no problems, Malwarebytes does not open. I have tried using other programs but none of them open. My AVG security can complete a Full Scan but it did not do anything! WinBlueSoft has also stopped me from browsing the internet. No pages load when I open my browser. I've tried System Restore in both normal and Safe Mode but it just won't let me! I cannot access the task manager or anything. I don't know what else I can do!

Please help me!
Thanks guys,
Matt.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Hey Belahzur,

Thanks for your reply.

I installed HiJackThis but it won't let me open it!

Can you try renaming the icon on your Desktop to Winlogon please?

Yep I've renamed it!
Still doesn't open though!

Thanks,
Matt.

Is there any other ideas you can think of?
Would I be able to delete the file that is blocking me from accessing everything? I think it's called "blocker.dll"

Thanks for your help,
Matt.

Hello.

Please download the Pocket Killbox from HERE

Can you open the Killbox/will it stay open?

Hey,
thanks for your reply.

My AVG detects KillBox.exe as a threat. What do you suggest I do? Carry on and open it or not? I am opening it from my USB stick as I had to use my laptop to access the internet and download it. I opened it fine in Safe Mode and it stayed open.

Thanks,
Matt.

AVG sucks. -.-
Killbox is not a threat, ignore what AVG says.
Carry on with it, see if Killbox will open.

ok i got kill box. what do i do next?

1. Open the Killbox.
2. Under "Full path of file to delete", copy and paste in the following:

C:\Windows\system32\blocker.dll

3. Switch "Standard file kill" to "Delete on reboot"
4. Press the Red X to delete the file.
5. It will ask if you want to make a backup of the file we deleted, select Yes to the prompt.
6. It will now delete the file, and popup with another prompt saying so, press Ok.
6. Close the Killbox.

Hey,

okay, yep i've done that!

yeah me too. and im still getting the spyware popups

same here senorwolfe015

Hello.
Don't worry, I know you still have problems, Killbox wasn't meant to fix that.
The blocker.dll is the reason behind you not being able to open thing, bet you noticed things will open normally now.

See if you can run Hijack This now.

Hey,

I opened Killbox from my desktop and followed the instructions you gave. After clicking the RED CROSS, I did not get message about backing up. Instead I got the message - "File will be Removed on Reboot, Do you want to Reboot now?". I then clicked OK and another message - "PendingFileRenameOperations Registry Data has been removed by External Process!". I clicked OK and restarted my computer. After restarting, I tried opening the Task Manager by pressing CTRL ALT DELETE but it was still blocked! I also tried running HiJackThis but still no luck!

I tried doing it again the day after and the same messages appeared and still no luck! I have just gave it another go selecting "Standard File Kill" instead of "Delete on Reboot" and this time the messages you said would appear did! - Confirm Message: "Backup & Delete C:\Windows\system32\blocker.dll"

I then clicked YES and got a File Error message stating:
"This file does not seem to exist"

Have any idea mate?
Thanks for your help so far, I really appreciate it!
Matt.

Hey,
Woo! Something that finally worked
I think I can spot some of the WinBlueSoft .exe and .bin files. I didn't want to go deleting them because they might not be the virus!

Here is the DDS file:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 19:27:13.00 on 27/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.139 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k sys
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\setup2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgcmgr.exe
C:\Documents and Settings\Matt.FLEETY\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
mSearch Page = hxxp://www.msn.com
mURLSearchHooks: H - No File
BHO: MSN helper: {4efd3aea-b660-4f24-8519-12531d2a3b0c} - khmx1.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [setup2.exe] c:\windows\system32\setup2.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\matt~1.fle\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - hxxp://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.48.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149350509750
DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - hxxp://esupport.epson-europe.com/selftest/en/Prg/ESTPTest.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/iwincarambadeluxe/zylomgamesplayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.xfactorchallenge.co.uk/getPlugin.do
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: NameServer = 85.255.112.108,85.255.112.211
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.fle\applic~1\mozilla\firefox\profiles\wwfj1b4y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 mcctl;mcctl;c:\windows\system32\drivers\mcctl.sys [2006-7-16 4864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-8 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-8 108552]
R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-24 9344]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-8 298776]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2004-8-10 35840]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 anf0100.sys;anf0100.sys;\??\c:\windows\system32\drivers\anf0100.sys --> c:\windows\system32\drivers\anf0100.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-2-18 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-2-18 85696]
S4 Atdracecaavice;Atdracecaavice; [x]

=============== Created Last 30 ================

2009-06-26 13:24 1 a------- c:\windows\system32\xd.dat
2009-06-26 13:24 1 a------- c:\windows\system32\idm.dat
2009-06-26 13:24 1 a------- c:\windows\system32\ck.dat
2009-06-26 13:24 1 a------- c:\windows\system32\c2d.dat
2009-06-26 12:55 --d----- c:\program files\XoftSpySE
2009-06-25 23:55 9,943 a------- c:\windows\system32\640abackd9or5z42.dll
2009-06-25 21:40 --d----- c:\program files\Enigma Software Group
2009-06-25 20:33 --d----- c:\program files\SpywareBlaster
2009-06-25 19:47 --d----- C:\!KillBox
2009-06-25 17:52 -cd----- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-25 14:00 --d----- c:\program files\Trend Micro
2009-06-24 22:24 2 a------- c:\windows\010112010146118114.dat
2009-06-24 22:13 --d----- c:\program files\Spybot - Search & Destroy
2009-06-24 20:44 --d----- c:\program files\IObit
2009-06-24 20:44 --d----- c:\docume~1\matt~1.fle\applic~1\IObit
2009-06-24 19:27 --d----- c:\windows\logs
2009-06-24 17:47 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-24 17:13 18,066 a------- c:\windows\1544adzware9324.exe
2009-06-24 17:03 1 a------- c:\windows\system32\q1.dat
2009-06-24 17:02 56,832 ----h--- c:\windows\mstre19.exe
2009-06-24 17:02 1 ----h--- c:\windows\jmmark2.dat
2009-06-24 17:02 66,048 ----h--- c:\windows\freddy46.exe
2009-06-24 03:06 42,496 a------- c:\windows\system32\khmx1.dll
2009-06-23 22:00 --d----- c:\program files\sys
2009-06-23 22:00 90,624 a------- c:\windows\system32\inform.dat
2009-06-23 22:00 42,496 a------- c:\windows\system32\khmx0.dll
2009-06-23 22:00 15,477 a------- c:\windows\system32\lxf
2009-06-23 19:43 163,840 a------- c:\windows\system32\SecureNet.dll
2009-06-23 19:42 1,126,400 a------- c:\windows\system32\libeay32.dll
2009-06-23 19:42 204,800 a------- c:\windows\system32\ssleay32.dll
2009-06-23 19:42 --d----- c:\program files\Hide My IP 2009
2009-06-22 11:00 4,113 a------- c:\windows\system32\1z053worm7579.bin
2009-06-22 10:30 16,955 a------- c:\windows\3129v5r9z6.dll
2009-06-21 22:22 16,830 a------- c:\windows\zc4bthie9557.exe
2009-06-19 22:21 16,962 a------- c:\windows\system32\11z6h5cktoo9253.bin
2009-06-19 12:27 68 a------- c:\windows\MyProg.ini
2009-06-18 22:48 15,109 a------- c:\windows\system32\1489z9py5e5.bin
2009-06-16 00:13 13,353 a------- c:\windows\18001spam59t69z.bin
2009-06-15 03:49 5,692 a------- c:\windows\system32\5c25th9ef21z25.ocx
2009-06-14 02:33 4,737 a------- c:\windows\system32\54198troj715z.bin
2009-06-13 20:13 16,839 a------- c:\windows\system32\z905troj9095.dll
2009-06-13 08:20 4,080 a------- c:\windows\z03downlo9de5975.ocx
2009-06-13 03:22 17,889 a------- c:\windows\858spzrse1915.cpl
2009-06-12 10:12 --d----- c:\docume~1\matt~1.fle\applic~1\GetRightToGo
2009-06-12 03:46 13,852 a------- c:\windows\system32\789ast9alz547.cpl
2009-06-10 03:30 15,470 a------- c:\windows\32ffztea91725.ocx
2009-06-10 00:59 13,110 a------- c:\windows\2835zsp550d9.exe
2009-06-09 12:19 --d-h--- C:\$AVG8.VAULT$
2009-06-08 18:25 10,226 a------- c:\windows\23z19v9rus35f.dll
2009-06-08 09:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-08 09:12 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-08 09:12 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 09:11 --d----- c:\windows\system32\drivers\Avg
2009-06-08 09:11 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-07 20:50 --d----- c:\program files\TweakRAM
2009-06-07 19:46 1,181,022 a------- c:\windows\system32\TmpA5169390
2009-06-07 15:50 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-07 15:49 --d----- c:\docume~1\matt~1.fle\applic~1\SUPERAntiSpyware.com
2009-06-07 11:00 8,842 a------- c:\windows\system32\5746zhack9ool1f1.ocx
2009-06-06 06:41 4,560 a------- c:\windows\9991doznlo5der3252.ocx
2009-06-05 07:38 17,528 a------- c:\windows\9758spa9bot7z55.cpl
2009-06-04 09:54 4,630 a------- c:\windows\30972wo59ze1.ocx
2009-06-03 14:40 --d----- c:\program files\iTunes
2009-06-02 16:28 7,332 a------- c:\windows\4z21b9ckdoor2544.exe
2009-06-01 19:32 9,824 a------- c:\windows\system32\1220addwarez5629.ocx
2009-06-01 11:44 17,468 a------- c:\windows\system32\b9as5azse1667.bin

==================== Find3M ====================

2009-05-28 16:47 87,608 a------- c:\docume~1\matt~1.fle\applic~1\inst.exe
2009-05-28 16:47 47,360 a------- c:\docume~1\matt~1.fle\applic~1\pcouffin.sys
2009-05-26 20:17 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-23 23:50 16,130 a------- c:\windows\29553troj28z.bin
2009-05-23 00:04 15,131 a------- c:\windows\system32\5d73backdooz1691.dll
2009-05-22 02:51 8,994 a------- c:\windows\system32\z6585viru9a5.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-18 21:24 10,229 a------- c:\windows\4f49stea5z140.bin
2009-05-18 07:36 17,120 a------- c:\windows\system32\9a44d5wnloaderz487.dll
2009-05-11 14:24 4,778 a------- c:\windows\system32\z2955ir1094.dll
2009-05-10 16:28 11,769 a------- c:\windows\system32\32z16not9a-5irusaf.dll
2009-05-08 14:40 18,420 a------- c:\windows\501fspyzare8029.exe
2009-05-07 18:19 8,020 a------- c:\windows\system32\3c7bsze5l1096.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-06 02:26 14,448 a------- c:\windows\system32\11588vizu519.dll
2009-05-05 05:44 5,231 a------- c:\windows\4799azdware1656.dll
2009-05-02 00:42 16,248 a------- c:\windows\45z1spy9are3098.exe
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 16:11 9,176 a------- c:\windows\system32\6z399i53159.exe
2009-04-28 10:05 92,160 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 35,328 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-26 10:27 5,962 a------- c:\windows\system32\2638zt5oj9ff.bin
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-24 11:42 5,600 a------- c:\windows\3zbaback9o5r10.exe
2009-04-24 05:48 16,472 a------- c:\windows\15489s5am9ot1z.dll
2009-04-20 13:07 13,690 a------- c:\windows\system32\175z1w9rm2265.dll
2009-04-20 01:28 2,768 a------- c:\windows\system32\2699z5pambot719.bin
2009-04-18 13:05 7,087 a------- c:\windows\system32\15341not-9-virzs249.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 21:52 10,757 a------- c:\windows\15950hzcktool391.bin
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-14 06:36 3,993 a------- c:\windows\system32\15954not-z-vi9us83.exe
2009-04-11 04:37 6,097 a------- c:\windows\605b59ckdozr1119.exe
2009-04-09 05:09 9,179 a------- c:\windows\system32\27388zpam59t7a5.exe
2009-04-09 03:35 9,571 a------- c:\windows\system32\55zdb9ckdoor2676.bin
2009-04-07 17:44 16,454 a------- c:\windows\system32\5969spzrse3503.exe
2009-04-07 13:39 12,474 a------- c:\windows\system32\1b65thrza593751.bin
2009-04-07 04:35 4,428 a------- c:\windows\system32\34859hief226z.bin
2009-04-04 09:42 7,650 a------- c:\windows\255z4not-a-5irus93c.dll
2009-04-03 22:38 18,228 a------- c:\windows\system32\7521wzr93fd.dll
2007-01-25 21:20 40 a------- c:\documents and settings\matt.fleety\language.dat
2006-07-17 13:38 29,784 a------- c:\program files\ Terms.html
2006-07-16 13:45 29,784 a------- c:\program files\popcorn Terms.html
2005-11-04 00:29 72,832 a----r-- c:\windows\inf\CamAvb.sys
2008-01-23 18:44 152 ---shr-- c:\windows\system32\13061D968F.sys
2008-04-08 22:25 88 ---shr-- c:\windows\system32\8F961D0613.sys
2008-04-08 22:25 9,188 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-22 16:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 19:28:14.93 ===============

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (AVG8)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hey,

I downloaded ComboFix.exe and renamed it Combo-Fix.exe

I followed the guide on how to disable my AVG 8.

I then double clicked Combo-Fix and the following error message appeared:

!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'

I visited the site and downloaded the latest copy but it is the same one, and the same error message appeared.
I also tried downloading ComboFix from the second link you provided (Link 2) and the same error message appeared.

After clicking OK, the error message closes and Combo-Fix is automatically removed from my desktop. Do you think this is maybe because of how I renamed it?

Thanks mate,
Matt.

No I don't think renaming caused it.
I don't see any signs of the file infecter called Virut, but I do see signs of another file infecter, called Sality.

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see Here

Instructions how to format and reinstall Windows can be found Here

Hey,

Ohh snap! So there's nothing else I can do? I can't delete the files manually?

Thank you for all your help sir. You have been a real big help!
Matt.

No, because system files are patched too.

Hey,

oo right okay. I'll re-install windows then!
So what I should do is backup all important files and re-install windows?

Thanks mate,
Matt.

Backup them up onto a CD or DVD.

i HAVE HAD the same problem up and now because i found the solution on my own i must share!
please comme nt on if you find it useful

Hello, while this may have worked in your case, this might not be the case for other users and in that link you are asking them to download and run very powerful tools that could render their PC useless if not used under supervision, I am going to have to remove the link for everyones safety.

I gave a warning

You instructed the user to download ComboFix and LSPFix, these two tools could render your PC useless if not properly used.