Win32:Downloader-PKU + Win32- Malware-Gen

[PhRey]

Hey,

Avast is detecting all this stuff (4 times per hour)  : Win32: Downloader-PKU-Malware + Win32-Gen
But it does not remove the problem (I do not know anything about viruses, i can only imagine ..)

(in french sorry, but i can translate some part if needed ;o)
Malwarebytes Anti-Malware (Essai) 1.62.0.1300
www.malwarebytes.org

Version de la base de données: v2012.08.08.11

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Philippe :: PHILIPPE-MUSIC [administrateur]

Protection: Activé

08/08/2012 23:52:23
mbam-log-2012-08-08 (23-52-23).txt

Type d'examen: Examen rapide
Options d'examen activées: Mémoire | Démarrage | Registre | Système de fichiers | Heuristique/Extra | Heuristique/Shuriken | PUP | PUM
Options d'examen désactivées: P2P
Elément(s) analysé(s): 295505
Temps écoulé: 18 minute(s), 23 seconde(s)

Processus mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Module(s) mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Clé(s) du Registre détectée(s): 1
HKCU\Software\Visicom Media (Adware.KeenValue) -> Mis en quarantaine et supprimé avec succès.

Valeur(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Elément(s) de données du Registre détecté(s): 0
(Aucun élément nuisible détecté)

Dossier(s) détecté(s): 0
(Aucun élément nuisible détecté)

Fichier(s) détecté(s): 4
C:\Windows\Installer\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\n (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\000000cb.@ (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\Windows\Installer\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}\U\80000032.@ (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.

(end)

In short, can you help me please ?
Let me know if you need something more.

Thank you !
Phil

[Pondus]

we also need OTL and aswMBR log

http://forum.avast.com/index.php?topic=53253.0

[PhRey]

we also need OTL and aswMBR log

http://forum.avast.com/index.php?topic=53253.0

Ok thanks ;o)
It's done (see attached files)

(aswMBP log to come)

[PhRey]

And here is the aswMBP log ;o)

Thanks !
Phil

(not sure that the process has ended when i saved the log file... ?)

[Pondus]

malware removers are notified. it may take several hours before one arrive so be patient

[PhRey]

malware removers are notified. it may take several hours before one arrive so be patient

Thank you very much ;o)

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  @Alternate Data Stream - 993 bytes -> C:\Program Files (x86)\Common Files\System:Eu3Tuese6GOcLLJLBx1
  @Alternate Data Stream - 992 bytes -> C:\ProgramData\Microsoft:bYntwOYUsKvFwco1Dr1dqlPYSf82L7
  @Alternate Data Stream - 1284 bytes -> C:\Program Files\Common Files\Microsoft Shared:FCwlqT8FP7tROUXGBy86
  @Alternate Data Stream - 1221 bytes -> C:\ProgramData\Microsoft:39qj2rLEMYZmPYzl1sdokTIxIqpkh
  @Alternate Data Stream - 1198 bytes -> C:\Users\Philippe\AppData\Local\Temp:wsHWOAN8MRUThFdJpLkf45
  @Alternate Data Stream - 1198 bytes -> C:\ProgramData\Microsoft:fNgHYy8zJLpUTs5VzVVnlWnU
  @Alternate Data Stream - 1194 bytes -> C:\ProgramData\Microsoft:vXhqan3wPoJkQUridCYE
  @Alternate Data Stream - 1138 bytes -> C:\Program Files (x86)\Common Files\System:FDMl5lF9mMByOlqOTAMQsg6
  @Alternate Data Stream - 1124 bytes -> C:\ProgramData\MicrosoftqQXxPZFhoi5xsy5JzwwCtPqIZ
  @Alternate Data Stream - 1112 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:FCwlqT8FP7tROUXGBy86
  @Alternate Data Stream - 1043 bytes -> C:\ProgramData\Microsoft:0K7SVvJ7EgiQzZ9x2GtHVWIq3I
  
  :Files
  C:\Windows\Installer\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}
  C:\Users\Philippe\AppData\Local\{583a3e06-fa9b-8b8f-dcd4-8949182b6ad4}
  ipconfig /flushdns /c
  netsh int ip reset c:\resetlog.txt  /c
  ipconfig /release /c
  ipconfig /renew /c
  sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[PhRey]

Thank you ;o)

OTL is now creating a restaure point. But it seems very long.... (15 minutes now....)

[essexboy]

Give it another minute or two, if it has not finished then stop it and continue to the next step

[PhRey]

Give it another minute or two, if it has not finished then stop it and continue to the next step

Ok thanks, how can i do this please ? (sorry i really don't know this software, and do not want to make a mistake..)

[essexboy]

Two options :  Either click the red x top right, or open taskmanager and end the OTL process 

[PhRey]

Two options :  Either click the red x top right, or open taskmanager and end the OTL process

I have to reset manually... the PC seems  frozen... (i'm writing from another PC)

[essexboy]

OK that will work..

[PhRey]

OK that will work..

Yes it works ;o)

Here are 2 logs : the first one was made by OTL directely (and very quickely) after the reboot + the other is the log done after the quick scan

[essexboy]

Could you continue with combofix now please