Genpack:trojan.fakeav.ad

A Deep Scan of my system using BitDefender revelaed the following issue: GenPack:Trojan.Fakeav.AD has infected my computer with no action possible by BitDefender. I have attached the log file so if anyone can help me get my computer running quick and smooth agan I would greatly appreciate it!


Thanks,


tGr


/applications/core/interface/file/attachment.php?id=2665" data-fileid="2665" rel="">1219328759_1_02.xml

Comments

  • Sorry, I forgot to include the Hijack This log file...


    Here it is:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 9:46:06 AM, on 21/08/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16705)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\stsystra.exe


    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


    C:\WINDOWS\System32\DLA\DLACTRLW.EXE


    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\QuickTime\QTTask.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe


    C:\Program Files\Logitech\QuickCam\Quickcam.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


    C:\Program Files\Digital Line Detect\DLG.exe


    C:\Program Files\SMART Board Software\SMARTBoardTools.exe


    C:\Program Files\SMART Board Software\Aware.exe


    C:\Program Files\SMART Board Software\Marker.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\WINDOWS\runservice.exe


    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe


    C:\Program Files\SMART Board Software\SMARTBoardService.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe


    C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\SMARTProductUpdate.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\system32\igfxsrvc.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.ec.gc.ca/city/pag...0_metric_e.html


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL


    O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


    O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup


    O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE


    O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot


    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe


    O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe


    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun


    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe


    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe


    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"


    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020


    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


    O4 - Global Startup: Digital Line Detect.lnk = ?


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O20 - Winlogon Notify: __c00980E - C:\WINDOWS\system32\__c00980E.dat


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe


    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe


    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe


    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe


    O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


    O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 9577 bytes

  • csalgau
    csalgau ✭✭
    edited August 2008

    Please attach an archive with the following files to your next post:


    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\__c00980E.dat


    If you are unable to find/copy any of the files, please download AVIS(can be found in the How To forum) and attach a scan log and a complete system log.


    As for the scan log, as I see only one file is detected as infected and it is in an archive. you can safely delete the file in which the sample is detected( C:\Documents and Settings\wade\Local Settings\Temporary Internet Files\Content.IE5\7LR9Y108\install_5060_MHw1fDEwMTAwMDAwMDB8fHx8fHx8fA_[1].exe )

  • I have attatched the following 2 files:


    C:\WINDOWS\runservice.exe


    C:\WINDOWS\system32\__c00980E.dat


    password is "infected"


    However, I cannot deltete this file:


    C:\Documents and Settings\wade\Local Settings\Temporary Internet Files\Content.IE5\7LR9Y108\install_5060_MHw1fDEwMTAwMDAwMDB8fHx8fHx8fA_[1].exe


    It doesn't appear to be located in the Content.IE5 file (maybe this was deleted when I ran CCleaner earlier today???)


    Thanks for your quick help!!!

    /applications/core/interface/file/attachment.php?id=2667" data-fileid="2667" rel="">virus.zip

  • Please attach "mmfs.dll". It might be in c:\windows\system32\ but I cannot be certain.


    Please also attach an AVIS Complete System Log.


    You can try and delete your temporary internet files (Control Panel->Internet Options ---> Delete Files/Browsing History/Delete->Temorary Internet Files) in order to remove that file if it still exists.


    Also, BitDefender should soon be able to remove __c00980e.dat, with the next update.

  • Hi!


    I noticed this morning when I turned my cmputer on that BitDefender had quarantined the file:


    __c00980e.dat


    and my computer seeems to be running like normal again...


    I am not sure if my problem is fixed or if it will start operating slowly again with pop-ups... Would you like me to still attach the files mentioned in the post above or do you think by quarantining the virus file (__c00980e.dat) i will be okay?


    Thank-you soooo much for lending a helping hand - I really appreciate your efforts and I would have been lost without you!


    tGr

  • Hello tGr,


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.


    Kind regards,


    Niels

  • csalgau
    csalgau ✭✭
    edited August 2008

    I still want "mmfs.dll" regardless if the computer is clean.