Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Showing results for 
Search instead for 
Did you mean: 


Go to solution
Danny Lim_3
Occasional Visitor


My PC is being attacked by bling.exe ,winssv ,
winfirewall virus. Can someone please help.
Attached are my HijackThis Log.
Your help will be much appreciated
Georg Tresselt
Honored Contributor
Ron Kinner
Honored Contributor

Re: HijackThis


You came to the right place. My company was one of the first ones attacked by this malware. See my post:

Yours is a slightly newer version and uses a few different names.

You got it because your PC did not have the latest Microsoft updates and you will get it again until you get the updates or download and run Zone Alarm. It is a good idea to run Zone Alarm. It will give you a chance to download the updates without being reinfected.

Boot into Safe Mode (F8 - without networking)
and check the following then Fix Checked:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoft update service] systemm.exe
O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [Microsoft update service] systemm.exe

O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe

Before you reboot open Explore (Right click on Start and select Explore) and locate the folder C:\Windows\System32. You will probably have to tell it you want to see the hidden files. See the following article:

Change it to display Details instead of Icons then find one of the files that you know belongs to the virus. msfirewall.exe winssv.exe or bling.exe. Sort by Date by clicking on the top of the date column. Find all other programs that have the same date. You may want to open the file O (or it may use another letter by now) with notepad to see who you got the virus from. If it says then I think you opened an email but usually it will tell you what IP address infected it. Delete all of the files from the same date and time. Repeat for the C:\Windows and C:\ folders.

Reboot with the network cable disconnected and you should be clear of the virus now. As I mentioned earlier if you don't patch your system or run Zone Alarm the virus will get you almost as soon as you reconnect the cable. Patches are at: