Help! Win32:Malware-gen & Win 32:Downloader-PKU [Trj] threats

[Waldoctg]

Hi there,

I am getting popups from Avast for Win32:Malware-gen & Win 32:Downloader-PKU [Trj threats.  Attached are the logs from MBAM (MBAM is posted in post as directed in tutorial), OTL, and anwMBR.

NOTE:  My OTL only had one log, I hope that is OK.  The "Extra" log was never generated.

Thanks,
Waldoctg


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.25.05

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Mastah C :: MASTAHC-PC [administrator]

7/25/2012 11:26:21 AM
mbam-log-2012-07-25 (11-26-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188570
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2872 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer\{5f630132-9963-ef36-282d-8922e40b0a4d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

[Waldoctg]

Did I not include something correctly?  Anyone?

[DavidR]

You should also have run aswMBR and attached that log.

A malware removal specialist has been informed of your topic.

[Waldoctg]

Hi,

I did? Or thought I did...  Isn't the attachment aswMBR.txt the correct one?

Thanks,
Waldoctg

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
  O3 - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\..\Toolbar\WebBrowser: (no name) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{5f630132-9963-ef36-282d-8922e40b0a4d}
  C:\Windows\System32\config\systemprofile\AppData\Local\{5f630132-9963-ef36-282d-8922e40b0a4d}
  C:\Windows\Installer\{5f630132-9963-ef36-282d-8922e40b0a4d}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[DavidR]

I did? Or thought I did...  Isn't the attachment aswMBR.txt the correct one?

My error, must clean these glasses.

[Waldoctg]

@DavidR Not a problem, man! 

Here are the logs.

Note:  I ran the OTL quickscan AFTER the combofix... I hope that is not a problem.  Also, am I missing a log?  I recall saving a log somewhere on my computer, but I cannot remember which program it was... I recall it being after a fix.  Maybe not?

Anways...


16:09:00.0013 3320   TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
16:09:02.0026 3320   ============================================================
16:09:02.0026 3320   Current date / time: 2012/07/25 16:09:02.0026
16:09:02.0026 3320   SystemInfo:
16:09:02.0026 3320   
16:09:02.0026 3320   OS Version: 6.1.7600 ServicePack: 0.0
16:09:02.0026 3320   Product type: Workstation
16:09:02.0026 3320   ComputerName: MASTAHC-PC
16:09:02.0026 3320   UserName: Mastah C
16:09:02.0026 3320   Windows directory: C:\Windows
16:09:02.0026 3320   System windows directory: C:\Windows
16:09:02.0026 3320   Running under WOW64
16:09:02.0026 3320   Processor architecture: Intel x64
16:09:02.0026 3320   Number of processors: 2
16:09:02.0026 3320   Page size: 0x1000
16:09:02.0026 3320   Boot type: Normal boot
16:09:02.0026 3320   ============================================================
16:09:03.0087 3320   Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
16:09:03.0102 3320   ============================================================
16:09:03.0102 3320   \Device\Harddisk0\DR0:
16:09:03.0102 3320   MBR partitions:
16:09:03.0102 3320   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
16:09:03.0102 3320   ============================================================
16:09:03.0118 3320   C: <-> \Device\Harddisk0\DR0\Partition0
16:09:03.0118 3320   ============================================================
16:09:03.0118 3320   Initialize success
16:09:03.0118 3320   ============================================================

[Waldoctg]

Also, I can enable Avast again, right?

Thanks,
Waldoctg

[DavidR]

Yes restart avast, it was only stopped for the combofix scan.

Essexboy will need to check the logs you attached to see if anything else is required.

How is the computer running now after the OTL fix ?

[essexboy]

Yes restart avast, it was only stopped for the combofix scan.

Essexboy will need to check the logs you attached to see if anything else is required.

How is the computer running now after the OTL fix ?

Spot on 

[Waldoctg]

Thank you guys so so much!  You are blessings!    I have a gig tomorrow, and didn't what my computer bugging out...

Again, thank you.
Waldoctg

[Waldoctg]

Hi guys,

I just got another notification from Avast that a threat was detected... It was the Win32:Malware-gen...  Maybe something was missed?

Thanks,
Waldoctg

[DavidR]

What was the file name and location of the detection ?

It is almost 1:10am in the UK so essexboy will be in bed now, so there will be a delay before he is able to investigate if required.

[Waldoctg]

Hey guys,

The file name is 00000004.@ and the location is C:\Windows\Installer\[5f630132-9963-ef36-282d-8922e40b0a4d}\U

Not a problem.  I was busy at the time anyways.  I hope we can get it solved today... We shall see.

Thanks!
Waldoctg

[DavidR]

Well that location, was in the OTL fix that essexboy compiled, you did run the fix as outlined in his Reply #4 above ?