Jump to content

WinBlue Removal Help Please


Recommended Posts

FIrst timer and thanks for all the helpful posts I've read today. Like some others, I've been infected with the Win Blue Soft virus. I've already done a lot of deleting based on some threads I've seen here but continue to have the black warning screen behind desktop icons, system auto reboots every 8 to 10 minutes, cannot use any desktop icons or run any malware removal or antivirus software.

I was able to get HijackThis 2.02 to run a scan and log. I deleted a number of items from the "scan only" results that I knew were tied to the virus. The latest scan log is below and I would certainly appreciate any help with getting rid of this pain in the butt malware.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:54:17 PM, on 6/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\WINDOWS\itlm\tlmagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DSM1603\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User '?')

O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User '?')

O4 - HKUS\S-1-5-21-57989841-1214440339-839522115-15321\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-57989841-1214440339-839522115-15321\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User '?')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: PowerReg Scheduler.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1241432811148

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241432895679

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abc.local

O17 - HKLM\Software\..\Telephony: DomainName = abc.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abc.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = abc.local

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = abc.local

O20 - AppInit_DLLs: blocker.dll

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\opt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Tivoli License Mgr Agent - Unknown owner - C:\WINDOWS\itlm\tlmagent.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\system32\drivers\trcboot.exe

--

End of file - 9736 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

* Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\Windows\blocker.dll

C:\Windows\system32\blocker.dll

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.

The cab file will be called requested-files[*].cab (the * stands for the date and hour).

Then click the Send File button below.

Link to post
Share on other sites

Thanks much for the information. I disaled the script blocking protection and downloaded dds.scr. When I ran it it flashed and there was no dds.txt that opened nor any scan options. This Win Blue is stopping me from running almost all programs.

Any other way to get the dds.scr to run on my computer? I've tried the RUN command, right clicking on the dds.scr icon, and any other outside way but am still getting blocked. Plus it doesn't help when the machine is rebooting by itself ever 7 to 8 minutes.

Any ideas? Thanks.

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated. Mbam now detects the malware you are dealing with.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I was able to get the MalwareBytes updated from the direct site you sent me. I ran the software and it did the same thing as before. It will not run due to two runtime errors, 401 and 440. Any other ways to get this MalwareByte to scan my system?

Thanks...btw - great avatar.

Link to post
Share on other sites

  • Staff

Hi,

Try to rename malwarebytes (mbam.exe) to loboke.exe or so :huh:

Then try again.

If still no luck..

Then lets deal with it manually... uninstall WinBlueSoft via software > add&remove programs if present.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O20 - AppInit_DLLs: blocker.dll

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then reboot.

After reboot, navigate to and delete the file C:\Windows\system32\blocker.dll

If you can't delete it, rename the file to blocker.bad and reboot once again in order to unhook the file. After reboot, you should be able to delete the file then.

Also delete the following if present:

C:\Program Files\WinBlueSoft Software <== folder

c:\documents and settings\All Users\Start Menu\Programs\WinBlueSoft <== folder

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

"NoDispBackgroundPage"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\WinBlueSoft]

[-HKEY_CURRENT_USER\SOFTWARE\WinBlueSoft]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

let me know if that solved your issue.

Link to post
Share on other sites

Mieke, thought we had it but no go. I ran everything letter perfect on the item deletions, created the notepad entry and changed the name..the icon reverted to a registry image, it merged fine and upon reboot I still have the naggng Warning! black background. I tried to run malware again, to use the desktop My Computer icon and it's still hostage to the WinBlue.

FYI, I do have another laptop with Vista on it and could possible use it as a master and make the ThinkPad a slave? Let me know. I'm sure we're very close.

Thanks for all the help.

Link to post
Share on other sites

A quick update. I was able to get the MalwareByte program running and it's doing it's scan right now. Perhaps the changes made to date have helped. The computer is NO LONGER auto rebooting itself and most of the progtram icons on the desktop appear to function normal. I'll update you as soon as MalwareBytes completes it's scan...it has a long way to go.

Thanks.

Link to post
Share on other sites

MalwareBytes ran and wiped out some 2500 problems. I updated my SpyBot and it had a few corrections as well. My old but now updated version of Registry Cleaner found what appears to be the last few. The virus appears to be totally gone...everything is working normally and very fast except I still have the black warning screen as my desktop theme. Small inconvenience but would still like to wipe it out.

Mieke, it's been a pleasure. I had no idea that online help would be the pleasant experience that it has been...not to mention how fast the responses are. Pet the dog for me.

Thanks.

Link to post
Share on other sites

  • Staff

Hi

I still have the black warning screen as my desktop theme. Small inconvenience but would still like to wipe it out.
Can't you change that? Just select another theme?
MalwareBytes ran and wiped out some 2500 problems.
I really want to see a log about this, because it looks like you were also dealing with something totally different. Please upload the log here if it's too large: http://www.bleepingcomputer.com/submit-malware.php?channel=8
Link to post
Share on other sites

I've tried to just change the theme but it doesn't allow it. After I click apply on the chosen theme nothing happens and the black Warning screen stays in the background like it's burned in there.

Will send the mbam log to the address you gave me. It's huge.

Thanks.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • 2 weeks later...

Sorry for the long delay in getting back to you. I had trouble signing in and finally got the password to work today.

Long story short, I'm completely fixed and grateful for your time and help. I decided to go out to the Internet, find a picture that I liked and saved it as my desktop theme and the black screen is gone forever.

Good luck to the next folks that get this Trojan...nasty bugger.

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.