New indetected Virus Help me Plz

[b]Hello ,

My computer was infected with some strange virus that will force you to download an antivirus called

SpywareSecure_trial_setup

From the web site below (spyboot direct this application as “MalWare”)

http://www.antispyware-solution.com/060/?&nums=N1ECWWIBB0-FEYLX0.AKb&login=672125

so I m obliged to pay this hacker for his fake software ??? AVAST TEAM analyse this virus and

give us update as soon as possible[/b]

[center]§§together to make avast the most powerful Antivirus§§
I just reporting to develop avast software
[/center]

so I m obliged to pay this hacker for his fake software !!!!!??
Do not download this software- do not pay for it

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

this virus is more powerful then a thought he disabled avast update
and other software update and Internet explorer activity
very smart virus no Autorun+hidden trace in registry
It but not unbeatable ! 8)

Were you unable to download and run MBAM ?

yes but i not able to update it very weird —»“virus still in my machine”
as you can see some Trojan and ad ware are not deleted
you asked me for the log :

Malwarebytes’ Enamelware 1.30
Version DE la base DE Donne’s: 1306
Windows 5.1.2600 Service Pack 2

16/11/2008 00:16:17
-2008-11-16 (00-16-03).txt

Type DE recherche: Examen rapide
Eléments examinés: 48905
Temps écoulé: 5 minute(s), 24 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 7
Valeur(s) du Registre infectée(s): 1
Elément(s) DE Donne’s du Registre infecté(s): 4
Dossier(s) infecté(s): 2
Fichier(s) infecté(s): 16

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID{3c471948-f874-49f5-b338-4f214a2ee0b1} (Trojan.HumourCanine) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware-secure (Rogue.Spyware-Secure) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winmxw32 (Dialer) → No action taken.
HKEY_CLASSES_ROOT\Pornovid (Trojan.DNSChanger) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Spyware-Secure (Rogue.Spyware-Secure) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware-Secure (Rogue.Spyware-Secure) → No action taken.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ykkimew (Adware.Navipromo.H) → No action taken.

Elément(s) DE Donne’s du Registre infecté(s):
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“%1” %*) Good: (regedit.exe “%1”) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{4467e098-6bbe-4086-a921-134ec47b133d}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.115;85.255.112.186 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{4467e098-6bbe-4086-a921-134ec47b133d}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.115;85.255.112.186 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{4467e098-6bbe-4086-a921-134ec47b133d}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.115;85.255.112.186 → No action taken.

Dossier(s) infecté(s):
C:\resycled (Trojan.DNSChanger) → No action taken.
C:\Program Files\Spyware-Secure (Rogue.Spyware-Secure) → No action taken.

Fichier(s) infecté(s):
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ykkimew_navps.dat (Adware.Navipromo.H) → No action taken.
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ykkimew_nav.dat (Adware.Navipromo.H) → No action taken.
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ykkimew.dat (Adware.Navipromo.H) → No action taken.
C:\Documents and Settings\Administrateur\Local Settings\Application Data\ykkimew.exe (Adware.Navipromo.H) → No action taken.
C:\resycled\boot.com (Trojan.DNSChanger) → No action taken.
C:\Program Files\Spyware-Secure\config.s3db (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\language (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\Spyware-Secure.url (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\sqlite3.dll (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\sws_translations.xml (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\uninst.exe (Rogue.Spyware-Secure) → No action taken.
C:\Program Files\Spyware-Secure\unrar.dll (Rogue.Spyware-Secure) → No action taken.
C:\WINDOWS\system32\winmxw32.dll (Dialer) → No action taken.
C:\Documents and Settings\Administrateur\Bureau\Spyware-Secure trial.lnk (Rogue.Spyware-Secure) → No action taken.
C:\Documents and Settings\Administrateur\Application Data\addon.dat (Malware.Trace) → No action taken.
C:\explorer.exe (Heuristics.Reserved.Word.Exploit) → No action taken.

You have a nice collection there - Naviprom - Wareout - Plus the usual suspects… There are two programmes for you to download and run. Hijackthis is needs to be run after Combofix

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

belive it or not combo fix has failed to create log file :cry:
the only log belong to hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:59, on 2008-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\anoooos\Internet Download Manager\IDMan.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Firefox-Anon\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.938\HijackThis.exe
C:\WINDOWS\system32\CF8181.exe
C:\ComboFix\ComboFix-Download.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://fr.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8580
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot0.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\anoooos\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-xa\msntb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot0.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU “C:\WINDOWS\TEMP\E_S3B.tmp” /EF “HKLM”
O4 - HKLM..\RunOnce: [runonce.exe] runonce.exe
O4 - HKCU..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [IDMan] C:\Program Files\anoooos\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Thinstall Setup Capture Continue] “D:\Program Files\Thinstall Virtualization Suite 3.207\setup_capture.exe” “D:\Program Files\Thinstall Virtualization Suite 3.207{2EE4737B-9B52-41FD-940D-3ED087D6477D}.snapshot” “D:\Program Files\Thinstall Virtualization Suite 3.207{851F4742-CA16-43CD-9995-7B884393865F}.snapshot”
O4 - HKCU..\Run: [iegiw] “c:\documents and settings\administrateur\local settings\application data\iegiw.exe” iegiw
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-19..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-20..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘Default user’)
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Télécharger avec IDM - C:\Program Files\anoooos\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Télécharger le contenu de video FLV avec IDM - C:\Program Files\anoooos\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Télécharger tous les liens avec IDM - C:\Program Files\anoooos\Internet Download Manager\IEGetAll.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll (file missing)
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute 2008\vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra ‘Tools’ menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe


End of file - 7685 bytes

Look here C:\ComboFix.txt

the log is over 10000 char download it from her :

http://rapidshare.com/files/163848485/ComboFix.txt.html

:wink:

You can attach .txt or .log files to your post.

When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt).

You also appear to have infected yourself via USB so lets prevent that

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

THEN

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
"Keenfinder Service"

File::
C:\~ 705.temp
C:\Documents and Settings\msn.bmp
C:\msn.bmp

Folder::
C:\Program Files\Bifrost1
C:\Program Files\Keenfinder

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85fd21e2-6b15-11d4-9513-00138fc8d68a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df2c9ae6-a6ab-11dd-b059-101111111111}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5C371166-AB90-3BB8-E721-B24D3AB6EAA1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ba5b606-b053-11dd-b082-101111111111}]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.

FINALLY

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio button for Rootkit check YES
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[]Under Additional Scans check the following:
[
]Reg - BotCheck
[]File - Additional Folder Scans
[
]File - Purity Scan

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

thanks" DavidR" the virus has been killed :-X

;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D

You’re welcome, though the thanks are entirely due to essexboy who did all the work.