View Full Version : Another virtumonde infection
Im trying to remove it for a while now... I need help very badly
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:41:43, on 2008-09-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM1b564665] Rundll32.exe "C:\WINDOWS\system32\hukdaivj.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222369069046
O20 - AppInit_DLLs: edgiwt.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 3713 bytes
pskelley
2008-09-30, 16:41
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
TeaTimer is disabled, please leave it that way.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
ComboFix 08-09-28.05 - Katerine Thomas 2008-09-30 15:06:50.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2528 [GMT -4:00]
Lancé depuis: C:\Documents and Settings\Katerine Thomas.ZAZZ\Bureau\ComboFix.exe
* Un nouveau point de restauration a été créé
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM1b564665.txt
C:\WINDOWS\BM1b564665.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Poqtvyxx.ini
C:\WINDOWS\system32\Poqtvyxx.ini2
C:\WINDOWS\system32\xxyawxyy.dll
C:\WINDOWS\system32\xxyvtqoP.dll
.
((((((((((((((((((((((((((((( Fichiers créés du 2008-08-28 au 2008-09-30 ))))))))))))))))))))))))))))))))))))
.
2008-09-30 15:13 . 2008-09-30 15:14 113,053 --a------ C:\WINDOWS\BM1b564665.xml
2008-09-29 16:00 . 2008-09-29 16:01 959,545 ---hs---- C:\WINDOWS\system32\uiafbbvj.ini
2008-09-29 16:00 . 2008-09-29 16:00 67,072 --a------ C:\WINDOWS\system32\jvbbfaiu.dll
2008-09-29 15:57 . 2008-09-29 15:57 123,904 --a------ C:\WINDOWS\system32\zeawvq.dll
2008-09-29 15:57 . 2008-09-29 15:57 123,904 --a------ C:\WINDOWS\system32\hifyxboc.dll
2008-09-29 15:57 . 2008-09-29 15:57 101,888 --a------ C:\WINDOWS\system32\nprdvejv.dll
2008-09-29 12:58 . 2008-09-29 12:58 <REP> d-------- C:\Program Files\CCleaner
2008-09-29 12:58 . 2008-09-29 13:16 <REP> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-09-29 12:57 . 2008-08-05 18:58 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-28 16:02 . 2008-09-28 16:02 975,436 ---hs---- C:\WINDOWS\system32\xiwwfkhl.ini
2008-09-28 16:02 . 2008-09-28 16:02 71,168 --a------ C:\WINDOWS\system32\lhkfwwix.dll
2008-09-28 15:59 . 2008-09-28 15:59 128,000 --a------ C:\WINDOWS\system32\imxexbeo.dll
2008-09-28 15:59 . 2008-09-28 15:59 128,000 --a------ C:\WINDOWS\system32\edgiwt.dll
2008-09-28 15:56 . 2008-09-28 15:56 105,984 --------- C:\WINDOWS\system32\hukdaivj.dll_old
2008-09-27 16:02 . 2008-09-27 16:02 975,436 ---hs---- C:\WINDOWS\system32\usupnykg.ini
2008-09-27 15:59 . 2008-09-27 15:59 128,000 --a------ C:\WINDOWS\system32\wivpzy.dll
2008-09-27 15:59 . 2008-09-27 15:59 128,000 --a------ C:\WINDOWS\system32\rntyiswb.dll
2008-09-27 15:56 . 2008-09-27 15:56 105,984 --a------ C:\WINDOWS\system32\tdxgusdw.dll
2008-09-26 15:56 . 2008-09-26 15:56 187 --a------ C:\WINDOWS\Eoption.ini
2008-09-26 15:54 . 2008-09-26 15:54 975,436 ---hs---- C:\WINDOWS\system32\rgxoqbor.ini
2008-09-26 15:54 . 2008-09-26 15:54 128,000 --a------ C:\WINDOWS\system32\tjmwcpdd.dll
2008-09-26 15:54 . 2008-09-26 15:54 128,000 --a------ C:\WINDOWS\system32\qxadmh.dll
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\pd2
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\nic
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\mC19
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\hz
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\temp\mtc2
2008-09-26 00:37 . 2008-09-27 04:02 <REP> d-------- C:\my dvd
2008-09-26 00:34 . 2008-09-26 15:48 <REP> d-------- C:\Program Files\Easy Avi Divx Xvid to DVD Burner
2008-09-26 00:34 . 2008-09-26 16:44 68 --a------ C:\WINDOWS\Easy Avi Divx Xvid to DVD Burner.INI
2008-09-25 16:57 . 2008-09-25 16:57 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-09-25 15:30 . 2008-09-25 15:30 <REP> d-------- C:\Documents and Settings\Administrateur.ZAZZ\Application Data\Malwarebytes
2008-09-25 15:27 . 2008-09-25 15:27 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Malwarebytes
2008-09-25 15:27 . 2008-09-25 15:27 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-09-25 14:29 . 2008-06-24 13:45 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-09-25 14:29 . 2008-06-23 17:36 773,120 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-09-25 14:28 . 2008-09-25 14:28 0 --a------ C:\WINDOWS\Irremote.ini
2008-09-25 14:26 . 2008-09-29 15:06 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\uTorrent
2008-09-24 15:26 . 2008-09-24 15:26 128,000 --a------ C:\WINDOWS\system32\yggmpw.dll
2008-09-24 15:26 . 2008-09-24 15:26 128,000 --a------ C:\WINDOWS\system32\bcbhrvyk.dll
2008-09-23 15:28 . 2008-09-23 15:28 128,000 --a------ C:\WINDOWS\system32\gqtmgxty.dll
2008-09-23 15:28 . 2008-09-23 15:28 128,000 --a------ C:\WINDOWS\system32\dhmzsy.dll
2008-09-22 18:03 . 2008-09-22 19:58 <REP> d-------- C:\Program Files\World of Warcraft Public Test
2008-09-22 18:03 . 2008-09-22 18:03 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Blizzard
2008-09-17 16:03 . 2008-09-17 16:29 <REP> d-------- C:\Program Files\AutoCAD 2008
2008-09-17 16:00 . 2008-09-17 16:00 <REP> d-------- C:\Program Files\Autodesk
2008-09-14 16:00 . 2008-09-25 14:26 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-14 14:43 . 2008-09-14 14:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-14 14:43 . 2008-09-14 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-10 01:14 . 2008-09-10 01:14 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Nero
2008-09-10 01:09 . 2008-09-25 14:30 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-09-09 20:03 . 2008-09-09 20:03 <REP> d-------- C:\Program Files\Windows Media Connect 2
2008-09-09 20:00 . 2008-09-09 20:01 <REP> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-14 17:26 . 2003-11-19 18:48 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-08-14 15:50 . 2008-04-11 15:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 15:50 . 2008-05-01 10:36 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 18:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 17:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-09-25 23:02 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-09-25 01:11 --------- d-----w C:\Program Files\World of Warcraft
2008-09-23 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BitDefender
2008-09-22 22:50 --------- d-----w C:\Program Files\Fichiers communs\Blizzard Entertainment
2008-09-20 03:39 --------- d-----w C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Autodesk
2008-09-20 03:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Autodesk
2008-09-17 20:28 --------- d-----w C:\Program Files\Fichiers communs\Autodesk Shared
2008-08-25 04:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-14 21:26 --------- d-----w C:\Program Files\Java
2007-03-16 07:46 1 ----a-w C:\Documents and Settings\Katerine Thomas.ZAZZ\SI.bin
2006-05-03 21:36 251 -c--a-w C:\Program Files\wt3d.ini
2008-06-20 16:42 619,192 --sha-w C:\WINDOWS\system32\BLnnonpo.ini2
2008-06-18 01:19 1,637 --sha-w C:\WINDOWS\system32\EKlknXbc.ini2
2008-06-22 01:07 622,323 --sha-w C:\WINDOWS\system32\LUBKmUtv.ini2
2008-06-19 13:34 594,844 --sha-w C:\WINDOWS\system32\onqYFfhk.ini2
2008-06-25 01:27 518,044 --sha-w C:\WINDOWS\system32\qAcMmUtv.ini2
2008-06-24 02:52 516,213 --sha-w C:\WINDOWS\system32\qrXyaJjl.ini2
2008-06-20 12:48 596,607 --sha-w C:\WINDOWS\system32\VFOXyyay.ini2
2008-06-02 05:19 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008060220080603\index.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64edd3ca-ce79-4aac-a5df-2b47c46d7e55}]
2008-09-29 15:57 123904 --a------ C:\WINDOWS\system32\zeawvq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7e911a1-0fe4-431b-98d5-a93c1566542b}]
2008-09-28 15:59 128000 --a------ C:\WINDOWS\system32\edgiwt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-15 368640]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-25 13524992]
"186575f9"="C:\WINDOWS\system32\jvbbfaiu.dll" [2008-09-29 67072]
"BM1b564665"="C:\WINDOWS\system32\nprdvejv.dll" [2008-09-29 101888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=edgiwt.dll zeawvq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"186575f9"=rundll32.exe "C:\WINDOWS\system32\hihyxrfk.dll",b
"BM1b564665"=Rundll32.exe "C:\WINDOWS\system32\dytihbta.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-07-13 86792]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
- - - - ORPHELINS SUPPRIMES - - - -
BHO-{2A80EB86-1121-4A41-BD02-3CA3762A0FDC} - C:\WINDOWS\system32\xxyvtqoP.dll
MSConfigStartUp-uTorrent - C:\Documents and Settings\Katerine Thomas.ZAZZ\Mes documents\Mes fichiers reçus\utorrent.exe
.
------- Examen supplémentaire -------
.
FireFox -: Profile - C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Mozilla\Firefox\Profiles\4pj8hsfe.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 15:14:12
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
.
------------------------ Autres processus actifs ------------------------
.
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Heure de fin: 2008-09-30 15:24:10 - La machine a redémarré
ComboFix-quarantined-files.txt 2008-09-30 19:24:06
Avant-CF: 38ÿ821ÿ425ÿ152 octets libres
Après-CF: 38,745,010,176 octets libres
200 --- E O F --- 2008-09-18 21:31:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25:07, on 2008-09-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {55e7d64c-74b2-fd5a-caa4-97ecac3dde46} - {64edd3ca-ce79-4aac-a5df-2b47c46d7e55} - C:\WINDOWS\system32\zeawvq.dll
O2 - BHO: (no name) - {c7e911a1-0fe4-431b-98d5-a93c1566542b} - C:\WINDOWS\system32\edgiwt.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [186575f9] rundll32.exe "C:\WINDOWS\system32\jvbbfaiu.dll",b
O4 - HKLM\..\Run: [BM1b564665] Rundll32.exe "C:\WINDOWS\system32\nprdvejv.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222369069046
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://zazz666.spaces.live.com/PhotoUpload/MsnPUpld.cab
O20 - AppInit_DLLs: edgiwt.dll zeawvq.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 4563 bytes
pskelley
2008-09-30, 23:55
Thanks for returning your informatiom, please read and follow all directions carefully and in the numbered order.
If I did not say it before, this is a very infected computer! Do you have any idea how you got this infected?
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\BM1b564665.xml
C:\WINDOWS\system32\zeawvq.dll
C:\WINDOWS\system32\edgiwt.dll
C:\WINDOWS\system32\jvbbfaiu.dll
C:\WINDOWS\system32\nprdvejv.dll
C:\WINDOWS\system32\uiafbbvj.ini
C:\WINDOWS\system32\hifyxboc.dll
C:\WINDOWS\system32\xiwwfkhl.ini
C:\WINDOWS\system32\lhkfwwix.dll
C:\WINDOWS\system32\imxexbeo.dll
C:\WINDOWS\system32\edgiwt.dll
C:\WINDOWS\system32\hukdaivj.dll_old
C:\WINDOWS\system32\usupnykg.ini
C:\WINDOWS\system32\wivpzy.dll
C:\WINDOWS\system32\rntyiswb.dll
C:\WINDOWS\system32\tdxgusdw.dll
C:\WINDOWS\system32\rgxoqbor.ini
C:\WINDOWS\system32\tjmwcpdd.dll
C:\WINDOWS\system32\qxadmh.dll
C:\WINDOWS\system32\yggmpw.dll
C:\WINDOWS\system32\bcbhrvyk.dll
C:\WINDOWS\system32\gqtmgxty.dll
C:\WINDOWS\system32\dhmzsy.dll
C:\WINDOWS\system32\BLnnonpo.ini2
C:\WINDOWS\system32\EKlknXbc.ini2
C:\WINDOWS\system32\LUBKmUtv.ini2
C:\WINDOWS\system32\onqYFfhk.ini2
C:\WINDOWS\system32\qAcMmUtv.ini2
C:\WINDOWS\system32\qrXyaJjl.ini2
C:\WINDOWS\system32\VFOXyyay.ini2
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64edd3ca-ce79-4aac-a5df-2b47c46d7e55}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7e911a1-0fe4-431b-98d5-a93c1566542b}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"186575f9"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM1b564665"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(items may be gone, removed by CFScript)
O2 - BHO: {55e7d64c-74b2-fd5a-caa4-97ecac3dde46} - {64edd3ca-ce79-4aac-a5df-2b47c46d7e55} - C:\WINDOWS\system32\zeawvq.dll
O2 - BHO: (no name) - {c7e911a1-0fe4-431b-98d5-a93c1566542b} - C:\WINDOWS\system32\edgiwt.dll
O4 - HKLM\..\Run: [186575f9] rundll32.exe "C:\WINDOWS\system32\jvbbfaiu.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\nprdvejv.dll",s
O20 - AppInit_DLLs: edgiwt.dll zeawvq.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your [B]Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
How is the computer running now?
6) I would also like to see an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Thanks
ComboFix 08-09-30.02 - Katerine Thomas 2008-09-30 18:00:23.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2579 [GMT -4:00]
Lancé depuis: C:\Documents and Settings\Katerine Thomas.ZAZZ\Bureau\ComboFix.exe
Commutateurs utilisés :: C:\Documents and Settings\Katerine Thomas.ZAZZ\Bureau\CFScript.txt
* Un nouveau point de restauration a été créé
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
FILE ::
C:\WINDOWS\BM1b564665.xml
C:\WINDOWS\system32\bcbhrvyk.dll
C:\WINDOWS\system32\BLnnonpo.ini2
C:\WINDOWS\system32\dhmzsy.dll
C:\WINDOWS\system32\edgiwt.dll
C:\WINDOWS\system32\EKlknXbc.ini2
C:\WINDOWS\system32\gqtmgxty.dll
C:\WINDOWS\system32\hifyxboc.dll
C:\WINDOWS\system32\hukdaivj.dll_old
C:\WINDOWS\system32\imxexbeo.dll
C:\WINDOWS\system32\jvbbfaiu.dll
C:\WINDOWS\system32\lhkfwwix.dll
C:\WINDOWS\system32\LUBKmUtv.ini2
C:\WINDOWS\system32\nprdvejv.dll
C:\WINDOWS\system32\onqYFfhk.ini2
C:\WINDOWS\system32\qAcMmUtv.ini2
C:\WINDOWS\system32\qrXyaJjl.ini2
C:\WINDOWS\system32\qxadmh.dll
C:\WINDOWS\system32\rgxoqbor.ini
C:\WINDOWS\system32\rntyiswb.dll
C:\WINDOWS\system32\tdxgusdw.dll
C:\WINDOWS\system32\tjmwcpdd.dll
C:\WINDOWS\system32\uiafbbvj.ini
C:\WINDOWS\system32\usupnykg.ini
C:\WINDOWS\system32\VFOXyyay.ini2
C:\WINDOWS\system32\wivpzy.dll
C:\WINDOWS\system32\xiwwfkhl.ini
C:\WINDOWS\system32\yggmpw.dll
C:\WINDOWS\system32\zeawvq.dll
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM1b564665.txt
C:\WINDOWS\BM1b564665.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcbhrvyk.dll
C:\WINDOWS\system32\BLnnonpo.ini2
C:\WINDOWS\system32\dhmzsy.dll
C:\WINDOWS\system32\edgiwt.dll
C:\WINDOWS\system32\EKlknXbc.ini2
C:\WINDOWS\system32\gqtmgxty.dll
C:\WINDOWS\system32\hifyxboc.dll
C:\WINDOWS\system32\hukdaivj.dll_old
C:\WINDOWS\system32\imxexbeo.dll
C:\WINDOWS\system32\jvbbfaiu.dll
C:\WINDOWS\system32\lhkfwwix.dll
C:\WINDOWS\system32\LUBKmUtv.ini2
C:\WINDOWS\system32\nprdvejv.dll
C:\WINDOWS\system32\onqYFfhk.ini2
C:\WINDOWS\system32\qAcMmUtv.ini2
C:\WINDOWS\system32\qrXyaJjl.ini2
C:\WINDOWS\system32\qxadmh.dll
C:\WINDOWS\system32\rgxoqbor.ini
C:\WINDOWS\system32\rntyiswb.dll
C:\WINDOWS\system32\tdxgusdw.dll
C:\WINDOWS\system32\tjmwcpdd.dll
C:\WINDOWS\system32\uiafbbvj.ini
C:\WINDOWS\system32\usupnykg.ini
C:\WINDOWS\system32\VFOXyyay.ini2
C:\WINDOWS\system32\wivpzy.dll
C:\WINDOWS\system32\xiwwfkhl.ini
C:\WINDOWS\system32\yggmpw.dll
C:\WINDOWS\system32\zeawvq.dll
.
((((((((((((((((((((((((((((( Fichiers créés du 2008-08-28 au 2008-09-30 ))))))))))))))))))))))))))))))))))))
.
2008-09-29 12:58 . 2008-09-29 12:58 <REP> d-------- C:\Program Files\CCleaner
2008-09-29 12:58 . 2008-09-29 13:16 <REP> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-09-29 12:57 . 2008-08-05 18:58 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-26 15:56 . 2008-09-26 15:56 187 --a------ C:\WINDOWS\Eoption.ini
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\pd2
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\nic
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\mC19
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\WINDOWS\system32\hz
2008-09-26 15:48 . 2008-09-26 15:48 <REP> d-------- C:\temp\mtc2
2008-09-26 00:37 . 2008-09-27 04:02 <REP> d-------- C:\my dvd
2008-09-26 00:34 . 2008-09-26 15:48 <REP> d-------- C:\Program Files\Easy Avi Divx Xvid to DVD Burner
2008-09-26 00:34 . 2008-09-26 16:44 68 --a------ C:\WINDOWS\Easy Avi Divx Xvid to DVD Burner.INI
2008-09-25 16:57 . 2008-09-25 16:57 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-09-25 15:30 . 2008-09-25 15:30 <REP> d-------- C:\Documents and Settings\Administrateur.ZAZZ\Application Data\Malwarebytes
2008-09-25 15:27 . 2008-09-25 15:27 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Malwarebytes
2008-09-25 15:27 . 2008-09-25 15:27 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-09-25 14:29 . 2008-06-24 13:45 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-09-25 14:29 . 2008-06-23 17:36 773,120 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-09-25 14:28 . 2008-09-25 14:28 0 --a------ C:\WINDOWS\Irremote.ini
2008-09-25 14:26 . 2008-09-29 15:06 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\uTorrent
2008-09-22 18:03 . 2008-09-22 19:58 <REP> d-------- C:\Program Files\World of Warcraft Public Test
2008-09-22 18:03 . 2008-09-22 18:03 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Blizzard
2008-09-17 16:03 . 2008-09-17 16:29 <REP> d-------- C:\Program Files\AutoCAD 2008
2008-09-17 16:00 . 2008-09-17 16:00 <REP> d-------- C:\Program Files\Autodesk
2008-09-14 16:00 . 2008-09-25 14:26 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-09-14 14:43 . 2008-09-14 14:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-14 14:43 . 2008-09-14 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-10 01:14 . 2008-09-10 01:14 <REP> d-------- C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Nero
2008-09-10 01:09 . 2008-09-25 14:30 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-09-09 20:03 . 2008-09-09 20:03 <REP> d-------- C:\Program Files\Windows Media Connect 2
2008-09-09 20:00 . 2008-09-09 20:01 <REP> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-14 17:26 . 2003-11-19 18:48 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-08-14 15:50 . 2008-04-11 15:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 15:50 . 2008-05-01 10:36 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 18:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 17:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-09-25 23:02 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-09-25 01:11 --------- d-----w C:\Program Files\World of Warcraft
2008-09-23 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BitDefender
2008-09-22 22:50 --------- d-----w C:\Program Files\Fichiers communs\Blizzard Entertainment
2008-09-20 03:39 --------- d-----w C:\Documents and Settings\Katerine Thomas.ZAZZ\Application Data\Autodesk
2008-09-20 03:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Autodesk
2008-09-17 20:28 --------- d-----w C:\Program Files\Fichiers communs\Autodesk Shared
2008-08-25 04:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-14 21:26 --------- d-----w C:\Program Files\Java
2007-03-16 07:46 1 ----a-w C:\Documents and Settings\Katerine Thomas.ZAZZ\SI.bin
2006-05-03 21:36 251 -c--a-w C:\Program Files\wt3d.ini
2008-06-02 05:19 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008060220080603\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-30_15.23.45.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-30 19:14:11 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
+ 2008-09-30 22:03:46 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-15 368640]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-25 13524992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-07-13 86792]
R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
- - - - ORPHELINS SUPPRIMES - - - -
HKLM-Run-186575f9 - C:\WINDOWS\system32\jvbbfaiu.dll
HKLM-Run-BM1b564665 - C:\WINDOWS\system32\nprdvejv.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 18:03:00
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
.
------------------------ Autres processus actifs ------------------------
.
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Heure de fin: 2008-09-30 18:12:46 - La machine a redémarré
ComboFix-quarantined-files.txt 2008-09-30 22:12:42
ComboFix2.txt 2008-09-30 19:24:11
Avant-CF: 38ÿ713ÿ511ÿ936 octets libres
Après-CF: 38,699,941,888 octets libres
199 --- E O F --- 2008-09-18 21:31:29
--------------------------------------------------------
Malwarebytes' Anti-Malware 1.28
Version de la base de données: 1222
Windows 5.1.2600 Service Pack 3
2008-09-30 19:36:16
mbam-log-2008-09-30 (19-36-16).txt
Type de recherche: Examen complet (C:\|)
Eléments examinés: 133569
Temps écoulé: 58 minute(s), 33 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 39
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)
Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)
Dossier(s) infecté(s):
C:\WINDOWS\system32\mC19 (Trojan.Agent) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080924-230549-728.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\faceback.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bcbhrvyk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dhmzsy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\edgiwt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gqtmgxty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\imxexbeo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lhkfwwix.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qxadmh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rntyiswb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tjmwcpdd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wivpzy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyawxyy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvtqoP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yggmpw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP273\A0045579.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP273\A0045580.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP273\A0046085.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP273\A0046086.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP275\A0046171.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP275\A0046220.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP277\A0046321.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP277\A0046323.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP277\A0046324.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046457.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046444.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046445.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046446.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046447.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046449.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046451.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046453.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046455.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046460.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABC20DC3-AD9F-4E87-B1FC-4B99D7004636}\RP278\A0046462.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pd2\sfeth112.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nic\BNU3453.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hz\NE56T23.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mC19\mC191065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:17, on 2008-09-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222369069046
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://zazz666.spaces.live.com/PhotoUpload/MsnPUpld.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Fichiers communs\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 4071 bytes
----------------------------------------------------------------
AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
APC PowerChute Personal Edition
Archiveur WinRAR
AutoCAD 2008 - English
Autodesk DWF Viewer 7
BitDefender Total Security 2008
Caesar IV
CCleaner (remove only)
Codeur Windows Media Série 9
Codeur Windows Media Série 9
Correctif pour Windows Internet Explorer 7 (KB947864)
Easy Avi/Divx/Xvid to DVD Burner 2.5.1
GemMaster Mystic
HijackThis 2.0.2
Intel(R) PRO Network Connections Drivers
Java 2 Runtime Environment, SE v1.4.2_03
Lecteur Windows Media*11
Logiciel QuickCam de Logitech
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 French Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB950759)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB953838)
Mise à jour de sécurité pour Windows XP (KB923789)
Mozilla Firefox (3.0.3)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser
neroxml
Nokia Connectivity Cable Driver
NVIDIA Drivers
Otto
Programme de gestion Camera de Logitech®
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Sonic Encoders
Spybot - Search & Destroy
VCRedistSetup
Windows Live Messenger
Windows Media Format 11 runtime
World of Warcraft
World of Warcraft Public Test
Xvid 1.1.3 final uninstall
pskelley
2008-10-01, 02:11
Thanks for retuning your information...
Uninstall list: I look for malware and security issues only.
Java 2 Runtime Environment, SE v1.4.2_03 <<< Java is seriously out of date, read this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
It can be difficult to remove a version that out of date, this tool will help: http://raproducts.org/
I can not see where I received the information I requested here, and apologize if I missed it.
How is the computer running now?
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
How is the computer running now?
everything is running much faster, no more popup when IE/firefox is running and web pages are loading normally again
I will not instal Windows XP Recovery Console, we can go on with spyware removal
I got infected by clicking a link on a msn window
pskelley
2008-10-01, 21:43
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to make sure we missed none of the junk, no need to post a clean scan result.
Update your antivirus program and scan the system, to be sure it is running right and scanning clean. Let me know if all is well at this point and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Ty so much! everything is clear and runnig smoothly