Hello Im working on a friends computer and ive gotten this far but every 5 minutes or so the Trojan Horse and Malware keeps popping up with THREAT DETECTED and its the 0000004 & 0000008 Malware\Trojan Please help when you can would be greatly appreciated
we need the logs from malwarebytes / OTL / aswMBR http://forum.avast.com/index.php?topic=53253.0
Malwarebytes Logs
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.23.02
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tilo :: TILO-PC [administrator]
Protection: Enabled
8/23/2012 1:18:05 AM
mbam-log-2012-08-23 (01-18-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224602
Time elapsed: 2 minute(s), 53 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Users\Tilo\Downloads\LimeWireSetup.exe (Adware.Hotbar) â Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\n (Rootkit.0Access) â Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\U\00000008.@ (Trojan.Dropper.BCMiner) â Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\U\000000cb.@ (Rootkit.0Access) â Quarantined and deleted successfully.
(end)
OTL log must be attached
and just from looking at your MBAM log, it confirms the Siref rootkit infection
malware removers are notified. it may take hours before one arrive so be patient
Otl.txt I hope this helps
Heres the other
Extras.txt
Thank you very much for you time
Heres the aswMBR.exe Log.
Once again thank you for your time
From the aswmbr It showed
02:43:47.873 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
02:44:10.790 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
02:44:12.537 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
im sure that is the culprit
They are the problem⌠Soon to be history
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"Last Counter"=dword:00000fc8
"Last Help"=dword:00000fc9
"First Counter"=dword:00000fb8
"First Help"=dword:00000fb9
"Object List"="4024"
"1008"=hex(b):50,94,22,ad,0d,ad,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,94,00,00,00,a4,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,\
00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
:Files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{256fafff-9b71-5c3c-765f-b7f1e8557917}
C:\Users\Tilo\AppData\Local\{256fafff-9b71-5c3c-765f-b7f1e8557917}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofixâs window while it is running. That may cause it to stall.
- Do not âre-runâ Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Heres the otl.exe quick scan log
Heres the combofix.exe log - Things have actually been running smoothly
I Enabled Avast Anti Virus and its been almost 30 minutes without any THREAT DETECTED LOL
But for the most part I think its cleared up⌠The main issue though other than the virus/malware was he was trying to get on his verison wifi hotspot that
he bought for himself but wasnât able to get on. Is there any other kind of software that will scan his little hotspot for infections?
Is there any kind of probing questions you can ask me that would also help the computers performance and or also tell if any kind of viruses are still present?
Once Again, I think you so VERY MUCH for your time
well,the main problem is that these rootkit programs are changing everyday so no antivirus is immune with themâŚthis is one thing i dont like about the malware creatorsâŚthey just keep changing their programming ;D
Hi true indian,
Worse even, the changes to their malcreations are being made automattically. But there are certain patterns to flag,and that protection is called IDS,
see urlquery.net scansâŚ
polonus
When he tries to log on to the Hotspot what error is displayed ?
Scanning with GMER
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here or here.
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scanâŚclick on NO.
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg
Click the image to enlarge it
[] In the right panel, you will see several boxes that have been checked. Uncheck the following âŚ
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (donât miss this one)
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [SaveâŚ] button, and in the File name area, type in âGmer.txtâ or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.
Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any â<â ROOKITâ entries
[i]-- If you encounter any problems, try running GMER in safe mode.
â If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
I couldnât get Gmer launch properly⌠the System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries were grayed out and I extracted, to the desktop several times. I tried with Avast on and off, I tried in safe mode and it still didnât work, I even turned off UAC and it didnât work, and I tried both links and got the same outcome⌠Not sure if im doing something wrong but I kept trying for about an hour and just couldnât get it goinn⌠Whats the dealio?
Well, I got the Wireless Hotspot to work properly, so I no longer need help with the gmer.exe issue, thank you for your time and if I need any other help I will get back with you Computer Defenders THANK YOU!
Could you run GMER as it appears ⌠Different windows systems only allow certain elements to be checked