malwar and trogan horse, seems to be everyones problem need help also

Viruses and worms
1

got a constant warning from my avast blocking these 2, read alot of posts will post what info i can on the stuff i have found.

2012/07/19 20:23:35 -0600 BEEF-PC Beef MESSAGE Executing scheduled update: Daily
2012/07/19 20:23:35 -0600 BEEF-PC Beef MESSAGE Starting protection
2012/07/19 20:23:37 -0600 BEEF-PC Beef MESSAGE Protection started successfully
2012/07/19 20:23:40 -0600 BEEF-PC Beef MESSAGE Starting IP protection
2012/07/19 20:23:40 -0600 BEEF-PC Beef ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/07/19 20:23:42 -0600 BEEF-PC Beef MESSAGE Scheduled update executed successfully: database updated from version v2012.07.03.05 to version v2012.07.20.01
2012/07/19 20:23:42 -0600 BEEF-PC Beef MESSAGE Starting database refresh
2012/07/19 20:23:43 -0600 BEEF-PC Beef MESSAGE Database refreshed successfully
2012/07/19 20:23:44 -0600 BEEF-PC Beef MESSAGE Starting database refresh
2012/07/19 20:23:45 -0600 BEEF-PC Beef MESSAGE Database refreshed successfully
2012/07/19 20:23:49 -0600 BEEF-PC Beef MESSAGE Starting IP protection
2012/07/19 20:23:49 -0600 BEEF-PC Beef ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/07/19 20:28:47 -0600 BEEF-PC Beef MESSAGE Starting protection
2012/07/19 20:28:49 -0600 BEEF-PC Beef MESSAGE Protection started successfully
2012/07/19 20:28:52 -0600 BEEF-PC Beef MESSAGE Starting IP protection
2012/07/19 20:28:52 -0600 BEEF-PC Beef ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

7/19/2012 8:23:57 PM
mbam-log-2012-07-19 (20-23-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208240
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Beef\Downloads\coretemp_1236.exe (PUP.BundleOffers.IIQ) → Quarantined and deleted successfully.
C:\Windows\Installer{ad70aaff-c262-0e84-62c4-2265f340940f}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

2

Hi :slight_smile:

Step #1

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:files
C:\Windows\Installer\{ad70aaff-c262-0e84-62c4-2265f340940f}
C:\Users\Beef\AppData\Local\{ad70aaff-c262-0e84-62c4-2265f340940f}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
ipconfig /flushdns /c

:commands
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step #2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

3

k i did what u asked. my question is also this computer is only a gaming computer, to reformat it will be no real loss, just need to install a couple games and foxfire and itunes, would it even still be better if it never pops up again to do that or if it fails to pop up on avast is it safe?

4

I think there is no need for drastic measures :wink:

Open notepad and copy/paste the text present inside the code box below:




RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\S-1-5-21-4178966267-1456273018-2741120150-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-4178966267-1456273018-2741120150-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

5

avast hasnt came up saying i have anything, i ran inbetween when i got your last msg and by the time i did it i ran malwarbytes and avast, the malwarbytes found nothing but avast found 2 infections says, threat win32:Sirefef-pl rtk, says access is denied 5 and location is windows/assembly/gac_32 and other is _64/desktop.ini

6

Ok, dont worry…

step1
Open notepad and copy/paste the text present inside the code box below:


File::
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

KillAll::

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

step2

Run avast , click on upgrade and update and than download a fresh versions.
( mainteance > Update > Update program )

Run avast boot time scan:
( scan computers > boot time scan > Shedule Now )

http://fotkica.com/imgs2/94804_47426678_avastboot2.jpg

Click on Restart computer

The computer will restart and before starting the system will start the Boot-Scan process.
During scanning, if malware is detected, select Move infected files to Quarantine.

When scan is finish, restart. When system is up and running in normal mode go here:
C:\ProgramData\AVAST Software\Avast[b]report[/b]

Please attach here aswBoot.txt

step3
How is your computer running now?

7

found 4 infections, some coin miner, and 2 that i posted on in last post, didnt see other, but guess u will see it in report, still no avast warning coming up. have to go to bed will check when i wake up, i know you are doing this free of charge and wanna say thanks very much for helping me. i can build computers, deal with hardware issues but i lack any sort of knowledge of software issues and code.

8

The first two detected are files from Combofix Quarantine.
The following two files wase deleted by Combofix with CFScripts if you’re even started Combofix.

I you did follow step1 from my previous message, attach here Combofix log ( C:\ComboFix.txt )
If you skip that step , follow it now, run Combofix with CFScript and when finished, attach here Combofix.txt

Basically, it should be it. You should not have detection and system should be clean.

9

ya i did it when u asked, so is it still on my system? is it safe to use passwords and etc, worried about banking stuff. also how did this computer get infected, this is a computer inside my home and my brothers live with me, are they getting into stuff i have told them not to watch?

10

Yap, you appear clean now 8)

The logs looks good and there is no traces for active malware.
And yes, i recommendet that you change your all important passwords just in case.

also how did this computer get infected,
Honestly to tell you, I would not know how are you get infected. There are so many ways... For this reason it is important you're using updated and active antivirus softwere.

For additional protection, you have a malwarebytes.

I also recommendet this light tool ( MCShield ) designed to prevent infections transmitted via removable drives.
http://amf.mycity.rs/mcshield
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD…etc

It is necessary to uninstall Combofix

Start >> Run

Combofix /Uninstall

Enter

Re-run OTL and click on CleanUp!