Author Topic: Win32:Atraps-PF infection (Read 3868 times)

electricnick · « **on:** July 09, 2012, 07:39:29 AM »

Hello all. My wife's laptop has picked up this Atraps-PF trojan and I need some help removing it. It seems I am not the only one dealing with this pesky trojan right now. Avast notifies me of its existence every few minutes or so. I believe I have attached all of the necessary logs. Thank you to anybody who is willing to help!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514

7/8/2012 10:18:34 PM
mbam-log-2012-07-08 (22-18-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207836
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: ;áÃzÊ;XA³0öm»Áµ -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\AppData\Local\Temp\msd406918.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Windows\Installer\{2c28d4d9-c266-e1f2-e277-bbe3a6339dd3}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

SafeSurf · « **Reply #1 on:** July 09, 2012, 07:43:54 AM »

I am reviewing your logs now. I'll be back shortly.

SafeSurf · « **Reply #2 on:** July 09, 2012, 07:56:00 AM »

Even though MBAM did what it is supposed to do, you still have problems that require a malware removal specialist, which I am going to refer you to after having reviewed your logs. You have more than a trojan going on.

I am going to refer you to our Certified Malware specialist, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time (6 - 8 PM). He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, do NOT sync your phone or any other devices with this machine. Thank you.

--> Please describe how your machine is behaving.

magna86 · « **Reply #3 on:** July 09, 2012, 10:20:48 AM »

@electricnick

I will help you to remove this rootkit. Follow these instructions:

Step 1

Re-run OTL.exe.

Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{ADA0299C-55B0-4809-824D-58D9A4EA15A0}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{ADA0299C-55B0-4809-824D-58D9A4EA15A0}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-2076646527-1613465164-1563332735-1000\..\SearchScopes\{ADA0299C-55B0-4809-824D-58D9A4EA15A0}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[120 C:\Windows\Installer\{2c28d4d9-c266-e1f2-e277-bbe3a6339dd3}\U\*.tmp files -> C:\Windows\Installer\{2c28d4d9-c266-e1f2-e277-bbe3a6339dd3}\U\*.tmp -> ]

:files
C:\Windows\Installer\{2c28d4d9-c266-e1f2-e277-bbe3a6339dd3}
C:\Users\veganjamie\AppData\Local\{2c28d4d9-c266-e1f2-e277-bbe3a6339dd3}
ipconfig /flushdns /c

:Commands
[DRIVES]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top.
Let the program run unhindered; it will reboot when it is done. Notepad will open with logreport. Post the logreport log here.

Step2

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Post log reports ( ComboFix.txt) back to topic.

GTalkofthetown · « **Reply #4 on:** July 09, 2012, 03:01:50 PM »

I have the Same prob please help ! i have made a thread with my Prob !!

electricnick · « **Reply #5 on:** July 09, 2012, 04:47:40 PM »

I have attached the combofix log and it appears that the problem is now gone. Thank you for the help!

magna86 · « **Reply #6 on:** July 09, 2012, 04:59:07 PM »

Fine.

Your logs look clean. There is no aktive malware.

It is necessary to uninstall Combofix

Start >> Run

Code: [Select]

Combofix /Uninstall
Enter

>> Re-run OTL and hit CleanUp! button.

Zombie Evolved · « **Reply #7 on:** July 09, 2012, 05:44:53 PM »

I seem to be having the same infection. I'm just trying to understand how common this type of infection is and how serious it can be to the system.

Author Topic: Win32:Atraps-PF infection (Read 3868 times)

electricnick

Win32:Atraps-PF infection

SafeSurf

Re: Win32:Atraps-PF infection

SafeSurf

Re: Win32:Atraps-PF infection

magna86

Re: Win32:Atraps-PF infection

GTalkofthetown

Re: Win32:Atraps-PF infection

electricnick

Re: Win32:Atraps-PF infection

magna86

Re: Win32:Atraps-PF infection

Zombie Evolved

Re: Win32:Atraps-PF infection