Author Topic: Win32: Malware-gen  (Read 1233 times)

Offline Sashkello

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Win32: Malware-gen
« on: July 17, 2012, 09:52:40 AM »
I had this virus which redirects web pages. I installed Avast, everything works but it keeps showing me malware (or trojan horse) blocked messages in services.exe process.
Logs are attached.

Offline Sashkello

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Win32: Malware-gen
« Reply #1 on: July 17, 2012, 09:54:39 AM »
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-17 19:50:27
-----------------------------
19:50:27.393    OS Version: Windows x64 6.1.7601 Service Pack 1
19:50:27.393    Number of processors: 4 586 0x2A07
19:50:27.394    ComputerName: ACCELERATOR  UserName: Sasha
19:50:27.889    Initialize success
19:50:28.102    AVAST engine defs: 12071700
19:50:46.635    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:50:46.640    Disk 0 Vendor: C400-MTF 0009 Size: 244198MB BusType: 3
19:50:46.647    Disk 0 MBR read successfully
19:50:46.653    Disk 0 MBR scan
19:50:46.658    Disk 0 Windows 7 default MBR code
19:50:46.661    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        15500 MB offset 2048
19:50:46.666    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 31746048
19:50:46.670    Disk 0 Partition - 00     0F Extended LBA            228596 MB offset 31950848
19:50:46.675    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       220398 MB offset 31952896
19:50:46.679    Disk 0 Partition - 00     05     Extended              8197 MB offset 483328000
19:50:46.685    Disk 0 Partition 4 00     84 OS/2 hidden C:    Gb´¿     8196 MB offset 483330048
19:50:46.706    Disk 0 scanning C:\Windows\system32\drivers
19:50:48.467    Service scanning
19:50:52.601    Modules scanning
19:50:52.624    Disk 0 trace - called modules:
19:50:52.632    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:50:52.638    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006a13060]
19:50:52.643    3 CLASSPNP.SYS[fffff88001d5643f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80042da050]
19:50:53.041    AVAST engine scan C:\Windows
19:50:53.752    AVAST engine scan C:\Windows\system32
19:51:10.929    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
19:51:11.293    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
19:51:26.866    AVAST engine scan C:\Windows\system32\drivers
19:51:29.338    AVAST engine scan C:\Users\Sasha
19:51:47.691    AVAST engine scan C:\ProgramData
19:51:51.848    Scan finished successfully
19:53:51.530    Disk 0 MBR has been saved successfully to "C:\Users\Sasha\Documents\MBR.dat"
19:53:51.534    The log file has been saved successfully to "C:\Users\Sasha\Documents\aswMBR.txt"

Offline SafeSurf

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4919
    • Personal Message (Offline)
Re: Win32: Malware-gen
« Reply #2 on: July 17, 2012, 09:59:55 AM »
Your aswMBR log shows a rootkit.  I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.
iMac (Mavericks)/Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Prem)/ Avast Mobile Security with MBAM Pro/ iPad 4th gen.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Win32: Malware-gen
« Reply #3 on: July 17, 2012, 01:36:07 PM »
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    O2 - BHO: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (FLV Runner Toolbar) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll (Conduit Ltd.)
    [2012/07/08 17:50:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
    [2012/07/08 17:49:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FLV_Runner

    :Files
    ipconfig /flushdns /c
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\Installer\{36d462c4-1a9d-9e2a-f63d-bbc0e3ed2173}
    C:\Users\Sasha\AppData\Local\{36d462c4-1a9d-9e2a-f63d-bbc0e3ed2173}

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Offline Sashkello

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Win32: Malware-gen
« Reply #4 on: July 17, 2012, 09:52:15 PM »
Everything seem to work fine now.
Thank you very much!!!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Win32: Malware-gen
« Reply #5 on: July 17, 2012, 09:55:14 PM »
Any outstanding problems ?

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now