Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virtumonde


  • Please log in to reply
20 replies to this topic

#1 Révoltamania

Révoltamania

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 09:44 AM

I have try to run my Ad ware but as soon as I receive notifications from my bit defender ( Bitdefender has block memscan:trojan.virtumod.ama, you have not been infected, 4 diffrent like this) so my process with ad freeze and I cannot continue. I have a made a scan with spybot too, It has remove some spyware but not virtumonde. I have run Vundo fix and FxV monde with still no success.

So now here is my log from Hijack

Thank you!


Logfile of HijackThis v1.99.1
Scan saved at 10:36:20, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dllcache\winmga.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Microsoft Genuine Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\winmga.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 July 2007 - 11:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Révoltamania :thumbsup:

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

=========================

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\dllcache\winmga.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\dllcache\winmga.exe
Then click on 'Send'.
Post the results into your next reply please.

=========================

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 02:16 PM

First, thanks a lot RichieUk for your time, I appreciate it :thumbsup:

and now here is what u assk to me

"Administrateur" - 2007-07-02 15:02:52 - ComboFix 07-07-03 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


2007-07-02 15:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 14:40 209,453 --a------ C:\winsdns.exe
2007-07-02 08:55 30,770 --a------ C:\winfocus.exe
2007-07-01 22:10 <REP> d-------- C:\VundoFix Backups
2007-07-01 21:47 209,453 --a------ C:\winznd.exe
2007-07-01 20:38 30,770 --a------ C:\winptz.exe
2007-07-01 17:14 26,171 --a------ C:\WINDOWS\system32\yayvutu.dll
2007-06-04 19:00 <REP> d-------- C:\Program Files\Belkin
2007-06-04 18:58 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-04 18:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-04 18:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-04 18:58 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-02 11:46 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-02 11:32 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-06-02 11:32 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-06-02 11:32 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-06-02 11:24 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-02 11:24 35,736 --a------ C:\WINDOWS\DIIUnin.dat
2007-06-02 11:24 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-02 11:05 <REP> d-------- C:\Program Files\Diablo II


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 19:00:33 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-07-01 21:36:28 14 ----a-w C:\WINDOWS\system32\getfile.dat
2007-06-13 11:56:44 -------- d-----w C:\Program Files\Soulseek
2007-06-13 11:55:50 -------- d-----w C:\Program Files\eMule
2007-05-27 18:30:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 18:17:07 -------- d-----w C:\Program Files\Ubisoft
2007-05-24 00:24:39 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-20 18:54:05 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-05-20 18:36:00 -------- d-----w C:\Program Files\Creative
2007-05-20 18:34:56 -------- d--h--w C:\Program Files\Creative Installation Information
2007-05-20 18:33:10 -------- d-----w C:\Program Files\Fichiers communs\Creative
2007-05-16 15:13:53 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 17:48:02 -------- d-----w C:\Program Files\PowerArchiver
2007-05-08 16:07:42 -------- d-----w C:\Program Files\Sirtech
2007-05-06 15:31:58 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-03 22:32:25 -------- d-----w C:\Program Files\THQ
2007-05-02 00:57:02 -------- d-----w C:\Program Files\Microsoft Games
2007-04-25 14:22:35 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{402672B3-9F58-443A-A504-A9E76B64C6F5}]
C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 18:53]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2006-05-04 13:30]
"BDNewsAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 11:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d05776c2-627c-11d9-91f4-806d6172696f}]
AutoRun\command- D:\Autorun.exe


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 15:04:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 15:04:36

--- E O F ---





File: winmga.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 12de78fe79a28d68fa59c550b3dc0eae
Packers detected: -
Bit9 reports: File not found


Last file scanned at least one scanner reported something about: msn.com (MD5: b325492ca38c2aba4efde630edddbc21, size: 2233856 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web BACKDOOR.Trojan
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Spy.Win32.Banbra.hp
Fortinet X
Kaspersky Anti-Virus Trojan-Spy.Win32.Banbra.hp
NOD32 X
Norman Virus Control W32/Banker.gen1
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 Worm.Viking.7 (paranoid heuristics)



Logfile of HijackThis v1.99.1
Scan saved at 15:07:55, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dllcache\winmga.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Microsoft Genuine Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\winmga.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 July 2007 - 02:43 PM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktop.
You'll see a black screen flash,thats normal.

@echo off
sc stop Microsoft Genuine Advantage
sc delete Microsoft Genuine Advantage

Restart your pc.

===========================

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\winsdns.exe
C:\winfocus.exe
C:\winznd.exe
C:\winptz.exe
C:\WINDOWS\system32\yayvutu.dll
C:\WINDOWS\system32\dllcache\winmga.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

If you did'nt reboot above,please do so now.
Post a new Hijackthis log in your next reply.
Posted Image
Posted Image

#5 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 04:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 17:01:55, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Microsoft Genuine Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\winmga.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

**I have to say that each time I enter my C: my bitdefender each time stop 5 or 6 alert saying that bitdefender has block the virus (rather ironic sinc eI got the virus anyway..) and there I see bizarre file name same as the one u ask me to move sooner.. winfocus... winptz...windns...winznd

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 July 2007 - 04:30 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Microsoft Genuine Advantage
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

===========================

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

===========================

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
O23 - Service: Microsoft Genuine Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\winmga.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 02 July 2007 - 04:31 PM.

Posted Image
Posted Image

#7 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 06:00 PM

sorry but I dont have this one when I do hijackthis run : O23 - Service: Microsoft Genuine Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\winmga.exe (file missing)


see:Logfile of HijackThis v1.99.1
Scan saved at 18:55:12, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 July 2007 - 06:51 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {402672B3-9F58-443A-A504-A9E76B64C6F5} - C:\WINDOWS\system32\vturq.dll (file missing)
-------------------------------------

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 07:47 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2007 at 08:20 PM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 00:21:02

Memory items scanned : 384
Memory threats detected : 0
Registry items scanned : 5288
Registry threats detected : 0
File items scanned : 31248
File threats detected : 120

Adware.Tracking Cookie
C:\Documents and Settings\Administrateur\Cookies\administrateur@media.southparkstudios[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.bleublancrouge[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.mytelus[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@try.starware[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@tracking.publicidees[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.gamershell[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@cgi-bin[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.us.e-planning[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@bs.serving-sys[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@serving-sys[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.benegil[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.loadedinc[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.smartadserver[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@media.licenseacquisition[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@catalog.zango[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@click-fr[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@h.starware[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@a[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adv.surinter[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@skynet[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@toplist[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@webstats4u[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adjuggler[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@tracker.affistats[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@track.effiliation[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@statcounter[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.belstat[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@vitamine.networldmedia[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.burstbeacon[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@xiti[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@mediadico[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.macromedia[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@clickfactory[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@nbads[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ad1.clickhype[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@cgi-bin[3].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ad.synergieinfo.qc[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@dcs4fulp900000g425eyhf21v_6v2u[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@yourmedia[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adcentriconline[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats.heroes-centrum[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.screensavers[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adopt.hbmediapro[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@advertstream[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.networldmedia[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adknowledge[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@clicktorrent[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@finaref[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats.canalblog[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.zango[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@content.licenseacquisition[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@statse.webtrendslive[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@70062990[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ad.contentmedianetwork[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@tqsads3.dserv[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@fr.clickintext[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@tmmedia.mylocalbands[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.powermetal[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@media.pc.ign[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@sales.liveperson[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@generic[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@moviemaniac11.tripod[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@belgacom[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@creative.adsrevenue[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@atwola[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.tetesacl.streamtheworld[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.hi5[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@hmt.connexpromotions[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@atlas.fixionmedia[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@networldmedia[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@atdmt[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@burstnet[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats.bip[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.clickintext[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.cooperhosting[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.ticketsnow2[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@yadro[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adverts.loadedinc[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@1070847646[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@mediaservices.myspace[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@clicksor[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@lw.cdmediaworld[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adserver.tqs[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@cgi-bin[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.neteventsmedia[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@popunderadvertise[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@fr.slidein.clickintext[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@1062684963[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@Greyhawk___The_Temple_of_Elemental_Evil[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@anad.tacoda[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.aliceadsl[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@www.serialgamer[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@1071635636[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@fr.13.clickintext[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ad.wedoo[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@adopt.specificclick[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@cgi-bin[4].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@gamerking[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@screensavers[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats[3].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats.searchtrack[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@delivery[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@i.screensavers[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@2.adbrite[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@doubleclick[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@clickbank[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@mentormedia[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@wysistat[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@revenuewire[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@list[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats.pointdecroix[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@3.adbrite[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.addesktop[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@2o7[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@webstat.yamaha[2].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@1064123944[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@ads.adbrite[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@media[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@statsweb[1].txt
C:\Documents and Settings\Administrateur\Cookies\administrateur@stats[1].txt




Logfile of HijackThis v1.99.1
Scan saved at 20:41:18, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

still got same problem :huh: each time I click on on my c: hard drive about 12 message of bitdefender appear saying that it succesfully block virus and that my pc is not infected :flowers: some here of what bitd block.. trojan.lowzones.sa memscan:trojan.virtumod.ama trojan.spy.ubstat.b trojan.virtumod.IZ or IC .....but I thank you verymuch for all you have done so far for me :thumbsup:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 July 2007 - 08:00 PM

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#11 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 02 July 2007 - 08:58 PM

Administrateur" - 2007-07-02 21:55:14 - ComboFix 07-07-03 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-02 18:46 <REP> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-02 18:46 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-02 18:46 <REP> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-02 15:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 14:40 209,453 --a------ C:\winsdns.exe
2007-07-02 08:55 30,770 --a------ C:\winfocus.exe
2007-07-01 22:10 <REP> d-------- C:\VundoFix Backups
2007-07-01 21:47 209,453 --a------ C:\winznd.exe
2007-07-01 20:38 30,770 --a------ C:\winptz.exe
2007-07-01 17:14 26,171 --a------ C:\WINDOWS\system32\yayvutu.dll
2007-06-04 19:00 <REP> d-------- C:\Program Files\Belkin
2007-06-04 18:58 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-04 18:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-06-04 18:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-06-04 18:58 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-02 11:46 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-02 11:32 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-06-02 11:32 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-06-02 11:32 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-06-02 11:24 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-02 11:24 35,736 --a------ C:\WINDOWS\DIIUnin.dat
2007-06-02 11:24 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-02 11:05 <REP> d-------- C:\Program Files\Diablo II


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-03 01:53:36 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-07-02 22:46:00 -------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-07-01 21:36:28 14 ----a-w C:\WINDOWS\system32\getfile.dat
2007-06-13 11:56:44 -------- d-----w C:\Program Files\Soulseek
2007-06-13 11:55:50 -------- d-----w C:\Program Files\eMule
2007-05-27 18:30:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 18:17:07 -------- d-----w C:\Program Files\Ubisoft
2007-05-24 00:24:39 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-20 18:54:05 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-05-20 18:36:00 -------- d-----w C:\Program Files\Creative
2007-05-20 18:34:56 -------- d--h--w C:\Program Files\Creative Installation Information
2007-05-20 18:33:10 -------- d-----w C:\Program Files\Fichiers communs\Creative
2007-05-16 15:13:53 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 17:48:02 -------- d-----w C:\Program Files\PowerArchiver
2007-05-08 16:07:42 -------- d-----w C:\Program Files\Sirtech
2007-05-06 15:31:58 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-03 22:32:25 -------- d-----w C:\Program Files\THQ
2007-04-25 14:22:35 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2004-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 18:53]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2006-05-04 13:30]
"BDNewsAgent"="C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe" [2005-06-09 11:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d05776c2-627c-11d9-91f4-806d6172696f}]
AutoRun\command- D:\Autorun.exe


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 21:56:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 21:56:52
C:\ComboFix2.txt ... 2007-07-02 15:04

--- E O F ---

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 03 July 2007 - 04:21 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\winsdns.exe
C:\winfocus.exe
C:\winznd.exe
C:\winptz.exe
C:\WINDOWS\system32\yayvutu.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log.
Let me know whats happening now.
Posted Image
Posted Image

#13 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 03 July 2007 - 06:22 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ocwtwyas

*******************

Script file located at: \??\C:\Program Files\yrpwlsoq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\winsdns.exe deleted successfully.
File C:\winfocus.exe deleted successfully.
File C:\winznd.exe deleted successfully.
File C:\winptz.exe deleted successfully.
File C:\WINDOWS\system32\yayvutu.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 19:19:30, on 2007-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


It seem to have work this time I didnt have any Bitdefender pop when entering my C: + all these damn indeletable files are now delete :thumbsup:

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 03 July 2007 - 06:31 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix
fix.bat
OTMoveIt
Avenger


C:\VundoFix Backups
C:\Avenger
C:\QOOBOX
C:\_OTMoveIt

------------------------------

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#15 Révoltamania

Révoltamania
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 03 July 2007 - 06:52 PM

:thumbsup: :flowers: ... as soon as I have start ATF cleaner I have receive 4 pop from Bit defender....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users