Author Topic: Win32:Downloader-PKU {Trj} (Read 11731 times)

magna86 · « **Reply #15 on:** July 22, 2012, 09:24:22 PM »

There are a few stubborn files...now we use a far more aggressive tool:

Download AVZ Antiviral Toolkit and save it to your Desktop from here:
http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip

Extract the archive to a folder.

Run AVZ double-click on this icon:

File > Custom Scripts

In the window that opens copy/paste everything inside the quotebox below

Code: [Select]

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('c:\windows\system32\services.exe.A4BE147A75F4DD46','');
DeleteFile('c:\windows\system32\services.exe.A4BE147A75F4DD46');
QuarantineFile('c:\windows\F896D02690164122B9BD957FF092FFE9.TMP','');
DeleteFile('c:\windows\F896D02690164122B9BD957FF092FFE9.TMP');
DeleteFileMask('%Tmp%' , '*.*' , true) ;
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

Click on the Run and wait for the script execute.

>> Reboot Windows
>> Re- Run Combofix , attach here fresh log.

Mattyc1983 · « **Reply #16 on:** July 22, 2012, 10:54:55 PM »

Tried that...says there is a problem that has caused the programe to stop working...and then it closes

magna86 · « **Reply #17 on:** July 23, 2012, 01:27:31 AM »

Hm...
Obviously we need to be resolved this outside the Windows environment.
In principle, there is nothing malicious running but I would just to make sure to avoid possible re-infection.

Download FRST64 to a USB flash drive.
Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
Select Repair your computer.
Select Language and click Next
Enter password (if necessary) and click OK, you should now see the screen below ...

Select the Command Prompt option.
A command window will open.

Type notepad then hit Enter.
Notepad will open.

Click File > Open then select Computer.
Note down the drive letter for your USB Drive.
Close Notepad.

Back in the command window ....

Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
FRST will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- When finished scanning it will make a log FRST.txt on the flash drive.

Next
- Type Services.exe into the Search: field in FRST then click the Search File(s) button.
- FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
- Exit FRST.
Close the command window.
Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

Mattyc1983 · « **Reply #18 on:** July 23, 2012, 12:35:31 PM »

All done...

magna86 · « **Reply #19 on:** July 23, 2012, 02:13:02 PM »

Open notepad.

Click Start
Type notepad.exe in the search programs and files box and click Enter.
A blank Notepad page should open.
Copy/Paste the contents of the code box below into Notepad.

Code: [Select]

Start
2012-07-22 03:23 - 2012-07-22 03:52 - 00000000 ____D C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
2012-07-22 01:55 - 2012-07-22 01:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A4BE147A75F4DD46
end

Save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.

******************************
...and the last check:

Delete current Combofix and download a fresh copy and run it. Attach here fresh Combofix log.

Mattyc1983 · « **Reply #20 on:** July 23, 2012, 04:07:29 PM »

Followed all the steps...

You are a saint by the way for persevering to help me!

magna86 · « **Reply #21 on:** July 23, 2012, 04:23:41 PM »

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

You forgot to turn off antivirus

>> How is your computer running now?

Mattyc1983 · « **Reply #22 on:** July 23, 2012, 04:30:23 PM »

Fine...should i repeat it again? Minus the antivirus, haha

magna86 · « **Reply #23 on:** July 23, 2012, 04:39:22 PM »

Quote from: Mattyc1983 on July 23, 2012, 04:30:23 PM

Fine...should i repeat it again?

No need.

We need to remove used tools:

It is necessary to uninstall Combofix

>Start (

) >> Run

Code: [Select]

Combofix /Uninstall
Enter

>Re- Run OTL and hit CleanUp! button.

anespaok · « **Reply #24 on:** July 25, 2012, 03:20:34 AM »

can you help me?
here are the txts from frst64:

magna86 · « **Reply #25 on:** July 25, 2012, 03:43:44 AM »

All right. Hold on to review the log.
You should open a new thread for your problem.

magna86 · « **Reply #26 on:** July 25, 2012, 04:03:24 AM »

@anespaok
This fix steps are made for you!!!

Step1

Open notepad.

Click Start
Type notepad.exe in the search programs and files box and click Enter.
A blank Notepad page should open.
Copy/Paste the contents of the code box below into Notepad.

Code: [Select]

Start
SubSystems: [Windows] ==> ZeroAccess
0 235ff5467dc0cc15; C:\Windows\System32\Drivers\235ff5467dc0cc15.sys [74184 2012-06-23] () ATTENTION =====> Rootkit?
2012-07-24 16:28 - 2012-07-24 16:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.24BD4A6167518968
2012-07-24 16:28 - 2012-07-24 16:28 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ytojbbke.sys
2012-07-24 16:25 - 2012-07-24 16:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EE8B89440C4ED2FC
2012-07-24 16:15 - 2012-07-24 16:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D82429B05A30DE3B
2012-07-24 16:10 - 2012-07-24 16:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3369E6F29E382544
2012-07-24 16:07 - 2012-07-24 16:07 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1E442670E3F5A9A5
2012-07-24 13:58 - 2012-07-24 13:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6A4502F0575B6CF4
2012-07-24 12:27 - 2012-07-24 12:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.308C5E04447F2625
2012-07-24 11:58 - 2012-07-24 11:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D0E69C0F996348EF
2012-07-24 10:38 - 2012-07-24 10:38 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.543DE62E81178553
2012-07-24 08:59 - 2012-07-24 08:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E7BB03DDAE181A29
2012-07-24 06:28 - 2012-07-24 06:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.693348642441A5A4
2012-07-24 16:28 - 2012-07-24 16:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.24BD4A6167518968
2012-07-24 16:25 - 2012-07-24 16:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EE8B89440C4ED2FC
2012-07-24 16:15 - 2012-07-24 16:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D82429B05A30DE3B
2012-07-24 16:10 - 2012-07-24 16:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3369E6F29E382544
2012-07-24 16:07 - 2012-07-24 16:07 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1E442670E3F5A9A5
2012-07-24 13:58 - 2012-07-24 13:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6A4502F0575B6CF4
2012-07-24 12:27 - 2012-07-24 12:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.308C5E04447F2625
2012-07-24 11:58 - 2012-07-24 11:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D0E69C0F996348EF
2012-07-24 10:38 - 2012-07-24 10:38 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.543DE62E81178553
2012-07-24 08:59 - 2012-07-24 08:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E7BB03DDAE181A29
2012-07-24 06:28 - 2012-07-24 06:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.693348642441A5A4
2012-06-23 03:52 - 2012-06-23 03:52 - 00074184 ____A C:\Windows\System32\Drivers\235ff5467dc0cc15.sys
ZeroAccess:
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\00000001.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\80000000.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\800000cb.@
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

Save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.

***************************

Step2

Please download Malwarebytes' AntiMalware.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

**************************
Step3

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.

Click Scan
Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

anespaok · « **Reply #27 on:** July 25, 2012, 10:30:01 AM »

thank you.

magna86 · « **Reply #28 on:** July 25, 2012, 01:43:12 PM »

@ anespaok
Logs look very good. Additional checks

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Author Topic: Win32:Downloader-PKU {Trj} (Read 11731 times)

magna86

Re: Win32:Downloader-PKU {Trj}

Mattyc1983

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

Mattyc1983

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

Mattyc1983

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

Mattyc1983

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

anespaok

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}

anespaok

Re: Win32:Downloader-PKU {Trj}

magna86

Re: Win32:Downloader-PKU {Trj}