Author Topic: 800000cb.@, 80000000.@, 80000004.@, and MBR:\\.\PHYSICALDRIVE0\Partition4  (Read 10563 times)

0 Members and 1 Guest are viewing this topic.

Zkyo

  • Guest
I'm not sure if these four persistant viruses are connected or not, but I've been having some issues with them. I installed Spybot: Search and Destrory, along with Malwarebytes recently, and they both temporarily fix the issue. Everything started when I got a UAC prompt yesterday for some odd .exe file I had never heard of (I didn't think much of it at the time, so I didn't write it down), so I chose no. It constantly kept looping, asking for permission, and I couldn't find a way to even select another window to search for information on it (Alt+tab, and even task manager wasn't working). Pretty much the only thing I could do was to do a hard restart on the computer, and everything seemed fine after that, no viruses detected by Avast. Shortly after that, I noticed that my web browser was running alot slower than normal, so I installed Spybot and Malwarebytes to look for anything else. They both found some minor malware and removed it, but that didn't seem to help any. Now, I will occasionally hear an audio advertisement for some random product playing in the background, even with all programs closed. Also, my network connections are sometimes disabled, until I restart the computer. Also, for some reason, the window I'm working on will randomly become inactive, like if I selected another one. It's been rather annoying while typing this post.

Anyways, now I keep getting a notification about every 5 minutes from avast about these three malware files being removed:
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\800000cb.@
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\80000000.@
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\80000004.@

These same files now show up in an avast scan, here's a copy of the result log:
MBR: \\.\PHYSICALDRIVE0\Partition4 - High - Threat: MBR:SST [Rtk] - Error: The handle is invalid
C:\ProgramData\AVAST Software\Avast\log\unp211368238.tmp.mdmp - High - Threat: MBR:SST [Rtk] - Action Successful
C:\Windows\assembly\GAC_32\Desktop.ini - High - Threat: Win32:Sirefef-PL [Rtk] - Error: Access is denied (5)
C:\Windows\assembly\GAC_64\Desktop.ini - High - Threat: Win32:Sirefef-PL [Rtk] - Error: Access is denied (5)
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\00000004.@ - High - Threat: Win32:Malware-gen - Error: The system cannot find the file specified (2)
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\000000cb.@ - High - Threat: Win32:Malware-gen - Action Successful
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\80000000.@ - High - Threat: Win32:Malware-gen - Action Successful
C:\Windows\assembly\GAC_32\Desktop.ini - High - Threat: Win32:Sirefef-PL [Rtk] - Error: Access is denied (5)

Also, here's the Malwarebytes log:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.12.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zak :: 361990-PC [limited]

8/12/2012 12:23:04 AM
mbam-log-2012-08-12 (00-23-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238889
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Detected: 1
C:\ProgramData\cDVshTcDKAQCOy.exe (Rogue.FakeHDD) -> 4368 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|cDVshTcDKAQCOy.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\cDVshTcDKAQCOy.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\ProgramData\cDVshTcDKAQCOy.exe (Rogue.FakeHDD) -> Delete on reboot.
C:\Users\Zak\AppData\Roaming\.minecraft\cartograph g\Cartograph_G_Post_Processor.exe (Trojan.Agent.cn) -> Quarantined and deleted successfully.
C:\Users\Zak\AppData\Local\Temp\update10.b.exe (RootKit.0Access) -> Quarantined and deleted successfully.
C:\Users\Zak\AppData\Local\Temp\wEkPvkcP0vtEUO.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{17355d44-1279-9319-ebde-458fc3196648}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Zak\AppData\Local\Temp\wuauclt.exe (Trojan.Agent) -> Delete on reboot.

(end)





Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37143
  • Not a avast user
follow guide and attach OTL and aswMBR logs

http://forum.avast.com/index.php?topic=53253.0

Zkyo

  • Guest
Here's the log for OTL, but I couldn't get aswMBR to work for some reason. I ran the file, it prompts for admin, then nothing.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Hi there I need to look at the MBR partitions... So whilst I look at the other logs

  • Download RogueKiller  and save it on your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ... 
  •     Click on Scan
   
 
  • Wait for the end of the scan. 
  • The report has been created on the desktop. 
  • Click on the Delete button.
     
  • The report has been created on the desktop.
  • Next click on the ShortcutsFix   

  • The report has been created on the desktop.
Please post:    All RKreport.txt text files located on your desktop.

Zkyo

  • Guest
Alright, here are those logs. Shortly after I had chosen the delete option, I got a message saying the RPC had failed, but continued anyway.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Quote
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953495040 | Size: 10 Mo
This is the badboy.  The following programme may not work.  If not do you have either the windows CD or a USB drive of at least 1Gb preferably 4Gb

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Zkyo

  • Guest
Nope, the program isn't working. Same as with aswMBR, it prompts for admin, then nothing. I do have a 4 gb USB flash drive, but not a Windows CD, or access to another computer with Windows 7.

Edit: Just got a new notice from avast. Windows explorer crashed and restarted shortly after.
URL:   http://mcooking.info/?2f3463c42c4b0c2234...
Process:   C:\Windows\explorer.exe
Infection:   URL:Mal

2nd Edit: I noticed that Avast's notifications for the xxx.@ trojans have stopped... I don't know if that's good or bad.
« Last Edit: August 13, 2012, 10:18:14 PM by Zkyo »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Download the following three programmes to your desktop :

 
1.  WiNTBootIc
2.  Windows 7 64bit RC
3.  Listparts64


Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot



Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing



It will let you know when it is done
Then copy listparts64 to the same USB




Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this although yours will say windows 7.
 Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (result.txt) on the flash drive. Please copy and paste it to your reply.

Zkyo

  • Guest
Alright, that one worked too.

As far as I can tell, the computer is still completely usable, i've only found a couple minor problems now, at least visible ones: Random redirects in firefox (usually to porn or fake antivirus sites), and the windows losing focus every few minutes.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Download the attached fix.txt to the same USB as Listparts
Restart in the recovery console as before
Run Listparts and select fix
A log will be save on the USB drive.

Reboot to normal windows

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Zkyo

  • Guest
Alright, apparently something went wrong. I did exactly what you said at the start, copied the fix.txt to the USB, and ran fixparts, same as before. It finished successfully, and I set it back to booting from the hard drive first, and I simply get an error that says bootmgr is missing, and press Ctrl+Alt+Delete to restart, nothing else.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Using the recovery console usb

Select startup repair

Zkyo

  • Guest
Running the startup repair worked, and I just ran combofix. However, once it restarted, it appears to have hung on creating a log, it's been stuck on that for about 10 minutes now. Should I just close it and look for the log file?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40590
  • Dragons by Sasha
    • Malware fixes
Yes give it another 5 then reboot...  I think what happened is that list parts did not register the new system partition which should be the active one.... So I set the OS to be active

Zkyo

  • Guest
It finished a couple minutes after, and farbar ran without any problems. The logs are attatched. So far, the computer seems to be running MUCH better, have not gotten any alerts through avast, and my wifi connection quality is much better (~40% -> 92%). I'll run a couple scans through Avast and Malwarebytes to make sure the virus is gone. Thank you so much for the help. :D