Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinBlueSoft Removal Help


  • Please log in to reply
34 replies to this topic

#1 Geckstein

Geckstein

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 01 June 2009 - 11:19 PM

I hope this is the correct forum to post in. Anyway, earlier today, on my Windows XP Desktop, I was looking at a random video. There was a pop up saying that I needed to update my Adobe Player (or something). Without thinking (I am not used to firefox- it was out of date on the XP) I clicked on the green check mark. It started to install something. Suddenly my Avast kept popping up that there was a virus, and I kept moving it the virus Chest. Then I noticed WinBlueSoft running. Without thinking, I clicked to uninstall it. However, it basically locked up my system, and when I restarted I received the background ""WARNING YOUR'RE IN DANGER! YOUR COMPUTER IS INFECTED WITH SPYWARE! ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND E-MAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDART TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN. Every sit you or somebody or even something, like spyware, opened in your browsers, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could break your life! SECURE YOURSELF RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC!"..." I haven't received any pop ups asking me to buy the product like some people say they do, but I really can't do anything on the pc.

I checked a previous thread on here with the same topic... found here:
http://www.bleepingcomputer.com/forums/lof...hp/t221918.html

I am not good enough with computers to fix it myself. Anyway, something weird happened. The Start button tool bar (the taskbar?) didn't look like it normally does on an XP machine, but rather more like a 95, 98, ME... It looks grey and really primitive. Anyway, None of the programs really startup. I can't access internet, and I can't access my flash drive (to follow the manual install like on the similar thread. I can't run my Avast or Spybot and since I can't manual put it with my flash drive (Does not recognize it), nor can I get on the internet because it does not recognize I am connected, what should I do? I disabled WinBlueSoft through MSCONFIG on Startup, and I think that is when the taskbar went gray (not like XP normally looks).

Btw, I am on my Vista Laptop.

I am sorry for not being able to explain it better, and kind of ticked for not thinking before clicking.

Please help....

Thank you, :-)

Geckstein

BC AdBot (Login to Remove)

 


#2 Geckstein

Geckstein
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 02 June 2009 - 10:29 AM

Ok, so good news. The XP taskbar somehow returned (the previous one I believe was from Windows 2000). I can access internet and probably flash drive now, so I will try to work on the problem and go from there.

Thanks :thumbsup:

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 02 June 2009 - 11:22 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 AM

Posted 02 June 2009 - 09:39 PM

Also tell me if you have a C:\Windows\System32\blocker.dll file. If you do, try and copy it to C:\blocker.dll and then submit it here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

#5 abbarron

abbarron

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 June 2009 - 08:52 AM

I am getting two run time errors when I try to run the program and can't get around even when I tried my flash drive.....any help would be greatly appreciated!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 03 June 2009 - 09:08 AM

I am getting two run time errors when I try to run the program

What program (was it MBAM)?
What are the specific error messages?
Did you search for and submit blocker.dll if it was found?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 AM

Posted 03 June 2009 - 09:21 AM

Just a heads up that Malwarebytes now has removal support for this infection.

#8 abbarron

abbarron

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 June 2009 - 09:36 AM

I am getting two run time errors when I try to run the program

What program (was it MBAM)?
What are the specific error messages?
Did you search for and submit blocker.dll if it was found?

The program wa MBAM, the errors are as follows:

vb Accelarator SGrid ll Control
Runtime error '0'

Malwarebytes' Anti Malware
Runtime error '440'
Automation error

not sure what your talking about "Did you search for and submit blocker.dll if it was found?" explain please

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 AM

Posted 03 June 2009 - 09:41 AM

Open up the C:\program files\Malwarebytes' Anti-Malware folder.

When the folder opens look for the icon that is called mbam. Right-click on it and select rename. Then change its name to explore.

Then double-click on the icon now labeled iexplore. Does it run properly now?

#10 abbarron

abbarron

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 June 2009 - 09:51 AM

no it is not doing anything!

#11 abbarron

abbarron

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 June 2009 - 10:17 AM

still getting the runtime errors

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 AM

Posted 03 June 2009 - 11:26 AM

Try this:

Please download OTM
  • Save it to your desktop.
  • Once it is downloaded, rename it to iexplore.exe.
  • Once it is renamed, please double-click the icon labeled iexplore to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files 
    C:\Windows\System32\blocker.dll
    
    :Commands
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then, let us know if you can run malwarebytes. If you can then also post the log using the steps given by Quietman here:

http://www.bleepingcomputer.com/forums/ind...t&p=1285524

#13 abbarron

abbarron

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 June 2009 - 09:04 PM

Try this:

Please download OTM

  • Save it to your desktop.
  • Once it is downloaded, rename it to iexplore.exe.
  • Once it is renamed, please double-click the icon labeled iexplore to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files 
    C:\Windows\System32\blocker.dll
    
    :Commands
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then, let us know if you can run malwarebytes. If you can then also post the log using the steps given by Quietman here:

http://www.bleepingcomputer.com/forums/ind...t&p=1285524


As I hate to say this, but this did not work either, it would not allow it to run, runtime errors as well.

Let me state a few facts, I am on windows xp with all service packs up to date.

I have followed the installation procedures and continue to get the runtime errors I state above.

Is there anything left to do to try and fix this?

This is the worst thing I have ever encountered!!!

Edited by abbarron, 03 June 2009 - 09:05 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 04 June 2009 - 12:41 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 dshosu

dshosu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 04 June 2009 - 01:44 PM

I just had this virus/malware and this is how I think I remember getting rid of it:
  • In WinBlueSoft (yes, you read the correctly. because winbluesoft blocks all other programs/processes including the windows taskmanger) I went to tools>task manager>and ended setup2.exe and then tools>manage autorun> and deleted the entry that auto-started the setup2.exe process (i think this is what keeps reinstalling anything you try to delete)
  • Booted into safemode with networking (hold f8 while booting in vista)
  • removed %Windows%\System32\blocker.dll (this is what I think was "blocking" all other programs/processes from running
  • reboot into normal mode and you should be able to download/run whatever you want now.
...in my case I just deleted the files and registry keys listed
The files to be deleted are listed below:
%Windows%\System32\blocker.dll
%Program Files%\WinBlueSoft Software
%Program Files%\WinBlueSoft Software\WinBlueSoft
%Program Files%\WinBlueSoft Software\WinBlueSoft\data.bin
%Program Files%\WinBlueSoft Software\WinBlueSoft\license.txt
%Program Files%\WinBlueSoft Software\WinBlueSoft\uninstall.exe
%Program Files%\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
%Documents and Settings%\All Users\Desktop\WinBlueSoft.lnk
%Documents and Settings%\All Users\Start Menu\Programs\WinBlueSoft
%Documents and Settings%\All Users\Start Menu\Programs\WinBlueSoft\1 WinBlueSoft.lnk
%Documents and Settings%\All Users\Start Menu\Programs\WinBlueSoft\2 Homepage.lnk
%Documents and Settings%\All Users\Start Menu\Programs\WinBlueSoft\3 Uninstall.lnk

The associated registry entries to be removed are as follows:
HKEY_CURRENT_USER\Software\WinBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\WinBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “WinBlueSoft”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users