Win32:Atraps-PF ! HELP!

[merrilyhappy]

Avast keeps moving win32:atraps-pf to the chest every few minutes. Ran Mbam, log says successfully removed but it's still there. Help?
Mbam Log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.05

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Marissa :: MARISSA-PC [administrator]

Protection: Enabled

6/29/2012 3:57:02 AM
mbam-log-2012-06-29 (03-57-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211939
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Marissa\AppData\Local\Temp\140993.Uninstall\Uninstall.exe (PUP.Adware.InstallCore) -> Quarantined and deleted successfully.
C:\Users\Marissa\AppData\Local\Temp\is1293846689\IWantThisAD_US.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Users\Marissa\Downloads\ADLSoft_UnCompressor.exe (PUP.Adware.InstallCore) -> Quarantined and deleted successfully.
C:\Windows\Installer\{9c374914-9016-4b9b-c068-d105409e58e0}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

[DavidR]

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

[merrilyhappy]

Thanks, MBAM log is included in first post. OTL logs are attached. and aswMBR log is below

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-29 05:25:51
-----------------------------
05:25:51.725    OS Version: Windows x64 6.1.7600
05:25:51.726    Number of processors: 4 586 0x2A07
05:25:51.729    ComputerName: MARISSA-PC  UserName: Marissa
05:25:53.628    Initialize success
05:25:53.841    AVAST engine defs: 12062900
05:25:56.249    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
05:25:56.253    Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
05:25:56.294    Disk 0 MBR read successfully
05:25:56.298    Disk 0 MBR scan
05:25:56.304    Disk 0 Windows 7 default MBR code
05:25:56.329    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        15360 MB offset 2048
05:25:56.361    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 31459328
05:25:56.383    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       461478 MB offset 31664128
05:25:56.431    Disk 0 scanning C:\Windows\system32\drivers
05:26:11.746    Service scanning
05:26:37.985    Modules scanning
05:26:38.003    Disk 0 trace - called modules:
05:26:38.039    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
05:26:38.053    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006904060]
05:26:38.063    3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004a91050]
05:26:39.350    AVAST engine scan C:\Windows
05:26:52.435    AVAST engine scan C:\Windows\system32
05:27:45.828    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
05:28:05.620    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
05:28:07.484    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
05:29:07.912    AVAST engine scan C:\Windows\system32\drivers
05:29:18.600    AVAST engine scan C:\Users\Marissa
07:05:29.361    AVAST engine scan C:\ProgramData
08:06:25.770    Scan finished successfully
13:54:01.762    Disk 0 MBR has been saved successfully to "C:\Users\Marissa\Documents\MBR.dat"
13:54:01.776    The log file has been saved successfully to "C:\Users\Marissa\Documents\aswMBR.txt1.txt"

[merrilyhappy]

Additional info:
 file that keeps getting caught by avast is C:\Windows\Installer\{9c374914-9016-4b9b-c068-d105409e58e0}\U\00000008.@ (Trojan.Dropper.BCMiner)

[DavidR]

Stuff like this C:\Windows\Installer\{9c374914-9016-4b9b-c068-d105409e58e0}\U\00000008.@ (Trojan.Dropper.BCMiner), The bold text is usually an indication of an underlying rootkit. This is also picked up in the aswMBR avast scan.

05:27:45.828    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
05:28:05.620    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
05:28:07.484    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]

I believe it is these which are responsible for the other alerts as they try to initiate more malware.

Whilst it is a pain getting the avast alerts like this, it is preventing further infection.

Unfortunately this does need a malware removal specialist (not me) to analyse the OTL logs essexboy who is most active on this will be in bed (2:42a.m. here in the UK and I'm about to call it a night also). So it may be a bit of time unless another specialist from a time zone closer to yours can continue with this.

Sorry I can't be of more practical help.

[merrilyhappy]

Thanks DavidR,
Hopefully I'll get some help soon.

[essexboy]

This should cure it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKU\S-1-5-21-3270222126-2588381078-2510154656-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  C:\Windows\Installer\{9c374914-9016-4b9b-c068-d105409e58e0}
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Shaneps86]

EssexBoy,

I am in a very similar situation. I was wondering if this fix or a slight variation of this fix would help me as well? Attached is my OTL log, and below are the MBAM and aswMBR logs.

MBAM;


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Shay :: ALICE [administrator]

6/29/2012 7:01:07 PM
mbam-log-2012-06-29 (19-01-07).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 395852
Time elapsed: 1 hour(s), 43 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Shay\Desktop\finished\memory card full\Programs\Office 2010 Toolkit\Net_Framework 3.5_Update.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Shay\Desktop\finished\memory card full\Programs\VideoPad.Video.Editor.Pro.2.40_2\NCH Software - VideoPad 3.22 - KeYGeN_IMPosTOR.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\Installer\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

aswMBR log;


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-30 12:57:21
-----------------------------
12:57:21.384    OS Version: Windows x64 6.1.7601 Service Pack 1
12:57:21.384    Number of processors: 2 586 0x603
12:57:21.387    ComputerName: ALICE  UserName: Shay
12:57:23.751    Initialize success
12:57:23.883    AVAST engine defs: 12063000
12:57:28.422    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000068
12:57:28.426    Disk 0 Vendor: Hitachi_ JE3O Size: 476940MB BusType: 11
12:57:28.448    Disk 0 MBR read successfully
12:57:28.454    Disk 0 MBR scan
12:57:28.461    Disk 0 Windows 7 default MBR code
12:57:28.478    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
12:57:28.493    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       463010 MB offset 409600
12:57:28.539    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        13626 MB offset 948654080
12:57:28.567    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 976560128
12:57:28.677    Disk 0 scanning C:\Windows\system32\drivers
12:57:49.550    Service scanning
12:58:22.192    Modules scanning
12:58:22.211    Disk 0 trace - called modules:
12:58:22.249    ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
12:58:22.262    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80042ee060]
12:58:22.275    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8004279ac0]
12:58:22.288    5 amd_xata.sys[fffff88001080900] -> nt!IofCallDriver -> \Device\00000068[0xfffffa80042754a0]
12:58:24.422    AVAST engine scan C:\Windows
12:58:45.223    AVAST engine scan C:\Windows\system32
13:00:51.506    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
13:01:21.971    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
13:01:24.433    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
13:02:53.782    AVAST engine scan C:\Windows\system32\drivers
13:03:08.328    AVAST engine scan C:\Users\Shay
13:41:21.301    AVAST engine scan C:\ProgramData
13:48:16.115    Scan finished successfully
14:06:04.328    Disk 0 MBR has been saved successfully to "C:\Users\Shay\Desktop\MBR.dat"
14:06:04.343    The log file has been saved successfully to "C:\Users\Shay\Desktop\aswMBR.txt"

Thanks for any advice you an give me as well. You're doing a great thing, thank you!

[DavidR]

@ Shaneps86
Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum (click the New topic button at the top of the page see image) and we will try and help you there.

Fixes are unique to the users system as mentioned above every fix.

[essexboy]

@Shaneps86 A topic for you has been started here

http://forum.avast.com/index.php?topic=100400.new#new

[merrilyhappy]

Thanks @essexboy,
I did as you suggested.The logs are attached below. I have just enabled avast antivirus and am waiting to see if the problem persists. So far, so good.

[essexboy]

Could you post the combofix log please it should be at C:\combofix.txt

[merrilyhappy]

@essexboy,
 Sorry , Thought you wanted log. Combofix.txt is attached.

[essexboy]

Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

Thats the main bad boy dead 

How is the computer now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=109935&babsrc=HP_ss&mntrId=d43cc1fc0000000000009a9ffa934aae
  IE - HKCU\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
  IE - HKCU\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
  IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
  IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&babsrc=SP_ss&mntrId=d43cc1fc0000000000009a9ffa934aae
  FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
  FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
  [2012/02/03 13:14:43 | 000,002,313 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
  [2012/02/03 13:14:34 | 000,000,000 | ---D | M] -- C:\Users\Marissa\AppData\Roaming\Babylon
  
  
  :Files
  ipconfig /flushdns /c
  c:\user.js
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[merrilyhappy]

@essexboy,
i haven't seen anymore avast warnings so it seems to be working fine. OTL log is attached.