Avast WEBforum
Other => Viruses and worms => Topic started by: Sashkello on July 17, 2012, 11:52:40 AM
-
I had this virus which redirects web pages. I installed Avast, everything works but it keeps showing me malware (or trojan horse) blocked messages in services.exe process.
Logs are attached.
-
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-17 19:50:27
-----------------------------
19:50:27.393 OS Version: Windows x64 6.1.7601 Service Pack 1
19:50:27.393 Number of processors: 4 586 0x2A07
19:50:27.394 ComputerName: ACCELERATOR UserName: Sasha
19:50:27.889 Initialize success
19:50:28.102 AVAST engine defs: 12071700
19:50:46.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:50:46.640 Disk 0 Vendor: C400-MTF 0009 Size: 244198MB BusType: 3
19:50:46.647 Disk 0 MBR read successfully
19:50:46.653 Disk 0 MBR scan
19:50:46.658 Disk 0 Windows 7 default MBR code
19:50:46.661 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15500 MB offset 2048
19:50:46.666 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 31746048
19:50:46.670 Disk 0 Partition - 00 0F Extended LBA 228596 MB offset 31950848
19:50:46.675 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 220398 MB offset 31952896
19:50:46.679 Disk 0 Partition - 00 05 Extended 8197 MB offset 483328000
19:50:46.685 Disk 0 Partition 4 00 84 OS/2 hidden C: Gb´¿ 8196 MB offset 483330048
19:50:46.706 Disk 0 scanning C:\Windows\system32\drivers
19:50:48.467 Service scanning
19:50:52.601 Modules scanning
19:50:52.624 Disk 0 trace - called modules:
19:50:52.632 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:50:52.638 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006a13060]
19:50:52.643 3 CLASSPNP.SYS[fffff88001d5643f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80042da050]
19:50:53.041 AVAST engine scan C:\Windows
19:50:53.752 AVAST engine scan C:\Windows\system32
19:51:10.929 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
19:51:11.293 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
19:51:26.866 AVAST engine scan C:\Windows\system32\drivers
19:51:29.338 AVAST engine scan C:\Users\Sasha
19:51:47.691 AVAST engine scan C:\ProgramData
19:51:51.848 Scan finished successfully
19:53:51.530 Disk 0 MBR has been saved successfully to "C:\Users\Sasha\Documents\MBR.dat"
19:53:51.534 The log file has been saved successfully to "C:\Users\Sasha\Documents\aswMBR.txt"
-
Your aswMBR log shows a rootkit. I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine now that you have provided the logs.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.
Let us know if you have any questions. Thank you.
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O2 - BHO: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
[2012/07/08 17:50:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2012/07/08 17:49:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FLV_Runner
:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{36d462c4-1a9d-9e2a-f63d-bbc0e3ed2173}
C:\Users\Sasha\AppData\Local\{36d462c4-1a9d-9e2a-f63d-bbc0e3ed2173}
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Everything seem to work fine now.
Thank you very much!!!
-
Any outstanding problems ?