Hey,

Avast is detecting all this stuff (4 times per hour) : Win32: Downloader-PKU-Malware + Win32-Gen
But it does not remove the problem (I do not know anything about viruses, i can only imagine …)

(in french sorry, but i can translate some part if needed ;o)
Malwarebytes Anti-Malware (Essai) 1.62.0.1300
www.malwarebytes.org

Version de la base de données: v2012.08.08.11

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Philippe :: PHILIPPE-MUSIC [administrateur]

Protection: Activé

08/08/2012 23:52:23
mbam-log-2012-08-08 (23-52-23).txt

Type d’examen: Examen rapide
Options d’examen activées: Mémoire | Démarrage | Registre | Système de fichiers | Heuristique/Extra | Heuristique/Shuriken | PUP | PUM
Options d’examen désactivées: P2P
Elément(s) analysé(s): 295505
Temps écoulé: 18 minute(s), 23 seconde(s)

Processus mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Module(s) mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Clé(s) du Registre détectée(s): 1
HKCU\Software\Visicom Media (Adware.KeenValue) → Mis en quarantaine et supprimé avec succès.

Valeur(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Elément(s) de données du Registre détecté(s): 0
(Aucun élément nuisible détecté)

Dossier(s) détecté(s): 0
(Aucun élément nuisible détecté)

Fichier(s) détecté(s): 4
C:\Windows\Installer{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\n (Rootkit.0Access) → Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\00000008.@ (Trojan.Dropper.BCMiner) → Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\000000cb.@ (Rootkit.0Access) → Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\80000032.@ (Rootkit.0Access) → Mis en quarantaine et supprimé avec succès.

(end)

In short, can you help me please ?
Let me know if you need something more.

Thank you !
Phil

we also need OTL and aswMBR log

http://forum.avast.com/index.php?topic=53253.0

Ok thanks ;o)
It’s done (see attached files)

(aswMBP log to come)

And here is the aswMBP log ;o)

Thanks !
Phil

(not sure that the process has ended when i saved the log file… ?)

malware removers are notified. it may take several hours before one arrive so be patient

Thank you very much ;o)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL @Alternate Data Stream - 993 bytes -> C:\Program Files (x86)\Common Files\System:Eu3Tuese6GOcLLJLBx1 @Alternate Data Stream - 992 bytes -> C:\ProgramData\Microsoft:bYntwOYUsKvFwco1Dr1dqlPYSf82L7 @Alternate Data Stream - 1284 bytes -> C:\Program Files\Common Files\Microsoft Shared:FCwlqT8FP7tROUXGBy86 @Alternate Data Stream - 1221 bytes -> C:\ProgramData\Microsoft:39qj2rLEMYZmPYzl1sdokTIxIqpkh @Alternate Data Stream - 1198 bytes -> C:\Users\Philippe\AppData\Local\Temp:wsHWOAN8MRUThFdJpLkf45 @Alternate Data Stream - 1198 bytes -> C:\ProgramData\Microsoft:fNgHYy8zJLpUTs5VzVVnlWnU @Alternate Data Stream - 1194 bytes -> C:\ProgramData\Microsoft:vXhqan3wPoJkQUridCYE @Alternate Data Stream - 1138 bytes -> C:\Program Files (x86)\Common Files\System:FDMl5lF9mMByOlqOTAMQsg6 @Alternate Data Stream - 1124 bytes -> C:\ProgramData\MicrosoftqQXxPZFhoi5xsy5JzwwCtPqIZ @Alternate Data Stream - 1112 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:FCwlqT8FP7tROUXGBy86 @Alternate Data Stream - 1043 bytes -> C:\ProgramData\Microsoft:0K7SVvJ7EgiQzZ9x2GtHVWIq3I

:Files
C:\Windows\Installer{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}
C:\Users\Philippe\AppData\Local{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Thank you ;o)

OTL is now creating a restaure point. But it seems very long… (15 minutes now…)

Give it another minute or two, if it has not finished then stop it and continue to the next step

Ok thanks, how can i do this please ? (sorry i really don’t know this software, and do not want to make a mistake…)

Two options : Either click the red x top right, or open taskmanager and end the OTL process

I have to reset manually… the PC seems frozen… (i’m writing from another PC)

OK that will work…

Yes it works ;o)

Here are 2 logs : the first one was made by OTL directely (and very quickely) after the reboot + the other is the log done after the quick scan

Could you continue with combofix now please

yes it just ended. (See attached file)
I thought each service from Avast was disabled, but avast bloked Rootkit.exe (something like that) at the end of the precess… it happened very quick, then reboot…

Farbar Service Scanner Version: 06-08-2012
Ran by Philippe (administrator) on 10-08-2012 at 16:13:23
Running from “C:\Users\Philippe\Documents”
Microsoft Windows 7 Édition Familiale Premium (X64)
Boot Mode: Normal

Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

Windows Update:

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Other Services:

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2009-07-14 01:25] - [2009-07-14 03:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

C:\Windows\System32\dnsrslvr.dll
[2009-07-14 01:21] - [2009-07-14 03:40] - 0182272 ____A (Microsoft Corporation) 676108C4E3AA6F6B34633748BD0BEBD9

C:\Windows\System32\mpssvc.dll
[2009-07-14 02:09] - [2009-07-14 03:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-14 01:36] - [2009-07-14 03:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-14 02:36] - [2009-07-14 03:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

• everything seems to work perfectly… i’m going to stop and restart the PC now.

OK we will need to do one more run with combofix

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe|c:\windows\system32\Services.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

ok processing…