Bad Case of WinBlue Soft

Hello

I read through lots of posts from different victims infected with WinBlue Soft. What I got smells like what PatTheBaker's got (post: "WinBlue Soft Help Please") It's the worst case of WinBLue Soft out there, and it's impossible to fire up any useful application that could help getting somewhere, either from a USB, by renaming it, or by praying like crazy.

I stoped following his post when it got to the deleting of the files in system32. Everything else before that was pretty innocent, but frankly I don't feel confident enough in my skills to make the difference between the bad files and the keepers.

If you can help, should we start over from the top with my own problem or do you think I should go and delete files right away? If deleting is the way to go, I will ask for your input.

Thanks!

Hello.
Lets try this method.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Del.Settings
  
  [Del.Settings]
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
  HKLM,software\microsoft\windows\currentVersion\Run,WinBlueSoft,0x00000000
  HKU,DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run,setup2.exe,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

Delete these files/folders in bold:

C:\Windows\system32\setup2.exe <== file
C:\Program Files\Winblue Software <== folder
C:\Documents and settings\USERNAME\Application Data\winav.exe <== file

Thanks for that quick reply

- Created the notepad on a 2nd computer (the one i'm on right now go on the net) and copied on infected PC's desktop through USB.
- Clicked install
- Don't think it ran (Got alert message "Process runonce.exe terminated Harmful memory infection detected")

As for the deleting:

C:\Windows\system32\setup2.exe == Wouldn't let me
C:\Program Files\Winblue Software == Succesful
C:\Documents and settings\USERNAME\Application Data\winav.exe == I did not see that file in there (there were no floating files, only folders)

Letsy try batch script to delete it.

Now open a new notepad file.
Input this into the notepad file:

@echo off
@echo off
del "C:\Windows\system32\setup2.exe" /q /s >nul
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Check if setup2.exe is still there please.

- Fired up the .bat and the black window flashed all right. But the process also got terminated the same way the .inf had (or so it said on the bottom right of screen)

- Setup2.exe is stil there, and still won't give

FYI prior to this, all my tests with launching .exe .com .bat .pif .scr .txt and .inf files have failed.

Hello.
Are you able to run regedit.exe or regedt32.exe?

check my topic "click here to remove winbluesoft [!]" im sure it can help.

I removed your topic, this doesn't fully remove Winibluesoft.

Belahzur wrote:

Hello.
Are you able to run regedit.exe or regedt32.exe?

I tried both and did not get any message about process being terminated, but nothing else happened either.

Hmm.
Can you try running MGTools?

Info and link on this page:
http://forums.majorgeeks.com/showthread.php?t=137630

Saved the installer on my USB... Won't run on on my PC

Tried both from the USB and after copying the .exe to desktop. Also tried renaming (manually)