Win32:Malware-gen

[cjust]

Every few minutes avast is notifying me that I have several viruses.  They are Win32:Malware-gen, Win32:Siref-Aoo, and Win32:Trojan-gen.  They are all in the System32\services process and from objects in the 'installer' directory.

I have run MBAM several times, each time it finds and reports a successful cleaning of Trojan.Dropper.BCMiner.

Below is the MBAM log.  In the next post I will attach the OTL logs.

(I appologize if this is a double post, it didn't look like it went through last time because of a captcha problem)

Edit: forgot to post the MBAM log - the most recent one was clean.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.18.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Chris :: OFFICE [administrator]

1/18/2013 8:58:31 PM
mbam-log-2013-01-18 (20-58-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258688
Time elapsed: 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[cjust]

Attached are the otl logs.

[cjust]

Here is the aswMBR log.  I'll paste it in and attach it.  I'm not sure which way is more helpful.

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-18 20:33:16
-----------------------------
20:33:16.476    OS Version: Windows x64 6.1.7601 Service Pack 1
20:33:16.476    Number of processors: 8 586 0x3A09
20:33:16.476    ComputerName: OFFICE  UserName: Chris
20:33:16.761    Initialize success
20:33:16.805    AVAST engine defs: 13011802
20:33:18.410    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
20:33:18.413    Disk 0 Vendor: SAMSUNG_SSD_830_Series CXM03B1Q Size: 244198MB BusType: 11
20:33:18.416    Disk 0 MBR read successfully
20:33:18.418    Disk 0 MBR scan
20:33:18.422    Disk 0 Windows 7 default MBR code
20:33:18.424    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
20:33:18.428    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       244096 MB offset 206848
20:33:18.433    Disk 0 scanning C:\Windows\system32\drivers
20:33:19.318    Service scanning
20:33:22.546    Modules scanning
20:33:22.553    Disk 0 trace - called modules:
20:33:22.559    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:33:22.563    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800d30c790]
20:33:22.568    3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa800d0f4060]
20:33:22.811    AVAST engine scan C:\Windows
20:33:23.116    AVAST engine scan C:\Windows\system32
20:33:30.347    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
20:33:33.017    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
20:33:33.272    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
20:33:46.501    AVAST engine scan C:\Windows\system32\drivers
20:33:47.592    AVAST engine scan C:\Users\Chris
20:34:15.856    AVAST engine scan C:\ProgramData
20:34:31.849    Scan finished successfully
20:34:38.112    Disk 0 MBR has been saved successfully to "C:\Users\Chris\Desktop\MBR.dat"
20:34:38.114    The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"

[mikaelrask]

Hey and welcome To the forum. Tank you for attach the necasary logs. I Will drop a note To one of our malware expert on your topic.

[magna86]

@cjust
Hello and welcome to avast. 

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---  ---


Step#1


Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


************************


Step #2



Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop
• Open the folder where the contents were unzipped to run mbar.exe
  
  
• Click on Next > then on Update button to download fresh definitions.
  
• When database updates click Next
  
• In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
  
  
• If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
  Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
  
  
• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
  

>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.


***********************


Step#3


Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


CREATERESTOREPOINT
/md5start
services.exe
/md5stop
dir /s /a "C:\Windows\Installer\{777e5fe8-7921-a813-271b-0a6078b396d9}" /c



• Then click the RunScan button at the top.
  
• Attach here freh OTL.txt logreport.

[cjust]

Magna, thanks for getting back to me.  In between my last post and your suggestions, I ran RogueKiller.  It seems to have taken care of the problem.  I am no longer getting the messages from avast.  Also, an avast scan, the mbam scan, and the aswMBR are all showing up clean.  Is there anything I should run or upload to verify that my machine is clean now?

[magna86]

Is there anything I should run or upload to verify that my machine is clean now?

Yes, follow instructions for running TDSSKiller and OTL. You may skip MBAR.
Attach here TDSSKiller log and fresh OTL.txt report.

[cjust]

Thanks again for the help!  Here are the logs you requested.  The OTL was created using the original custom scan below.

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

[magna86]

Hi,

Please read again!

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

And it is necessary that you follow the directions exactly as i wrote.
---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   ---   


Combofix report


> I see that you have been run Combofix.

Please read this:
http://www.techsupportforum.com/forums/showpost.php?p=1829551
http://www.bleepingcomputer.com/forums/topic273628.html


> Go to your systemroot drive ( C:\ drive ) and attach here Combofix.txt logreport.

C:\Combofix.txt

*****************
Running OTL Fix

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:files
C:\Windows\Installer\{777e5fe8-7921-a813-271b-0a6078b396d9}\U
C:\Windows\Installer\{777e5fe8-7921-a813-271b-0a6078b396d9}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

*****************


Running OTL Custom Scan

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  
  Code: [Select]
  
CREATERESTOREPOINT
dir /s /a "C:\Windows\Installer\{777e5fe8-7921-a813-271b-0a6078b396d9}" /c


  • Then click the RunScan button at the top.
    
  • Attach here fresh OTL.txt logreport.
  *****************
  
  
  USB storage/devices check
  
  
  O32 - HKLM CDRom: AutoRun - 1
  O32 - AutoRun File - [2001/06/17 03:50:18 | 000,000,054 | R--- | M] () - D:\autorun.bat -- [ CDFS ]
  O32 - AutoRun File - [2003/02/22 22:23:19 | 000,000,045 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
  O32 - AutoRun File - [2004/05/01 15:35:55 | 000,000,967 | R--- | M] () - D:\autorun.pif -- [ CDFS ]
  
  
  > Lets check&run additional USB storage devices / removable drives malware check
  
  
  Download MCShield from one of the following links:
  
  MyCity -  Official download link
  Softpedija - Mirror download link
  
  
  • Double click MCShield-Setup to install the application.
    
  • Wait a few seconds to MCShield finish initial scan.
  Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  
• Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[cjust]

I'm sorry, I ran combofix before you started working on my case.  I didn't realize how dangerous it was.  That said, something I've done along the way seems to have deleted the log file.  I saw it there last night, but now it is gone.  I'm attaching the other files you requested.

[magna86]

How's your computer running now? 

[cjust]

It seems to be running well.  I'm not getting any messages of viruses at all. 

At the end of the mcshield scan, it says:

=> Malicious files   : 0/255 deleted.
=> Malicious folders : 0/83 deleted.

Does that mean 0 of the 255 malicious files deleted?  I'm also wondering what all the stuff in the 'c:\restore' directory is.  It looks a little strange with all the directory nesting.

[magna86]

Hi,
Don't worry, nothing is deleted.
=> Malicious files   : 0/255 deleted.
=> Malicious folders : 0/83 deleted.
zero files hase been deleted



Folder hase been created by some software for data recovery.
That folder name and location is often used by malware, and therefore is targeted by name.
Detection hase beed ejected from the base, and MCS database upgraded.




Remove used tools.

> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.




I recommended to keep Malwarebytes if you will. You may remove Malwarebytes via control panel > programs and features


I recommended to use MCShield if you will. You also may remove MCShield via control panel > programs via features.
MCShield will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

[cjust]

Thanks again for all your help!

[magna86]

Your welcome.