Please help: Avast is detecting Win32:Malware-gen and Win32:Downloader~PKU[Trj]

Viruses and worms
1

A rookie needs help. My avast has been coming up with these two: Win32:Malware-gen and Win32:Downloader~PKU[Trj] and an a supposed Adobe installer 11.3 keeps popping up. What do I do?

Thank you in advance Joe

2

I just ran a scan and it came up with these 4:
C:\Windowsassembly\GAC_64\Desktop.ini
C:\WIndows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}\U\00000004.@
C:\WIndows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}\U\0000000cb.@
C:\WIndows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}\U\80000000.@

3

Here is the Mbam log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.04.10

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Joe :: JOE-PC [administrator]

8/4/2012 9:55:06 PM
mbam-log-2012-08-04 (21-55-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198555
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Joe\AppData\Roaming\wimrc.dll (Trojan.Midhos) → Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\Joe\AppData\Roaming\wimrc.dll (Trojan.Midhos) → Delete on reboot.
C:\Users\Joe\AppData\Local\Temp\sgwe3t.exe (Exploit.Drop.COD) → Quarantined and deleted successfully.
C:\Users\Joe\AppData\Local\Temp\wpbt0.dll (Exploit.Drop.COD) → Quarantined and deleted successfully.
C:\Users\Joe\AppData\Local\Temp~!#E8E6.tmp (Trojan.Lameshield) → Quarantined and deleted successfully.
C:\Windows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.

(end)

The OTL is attached

Thank you

4

Here is the aswMBR log

5

A malware removal specialist has been informed of your topic.

6

Hi there before I start cleaning could you upload the adobe file to avast as potential malware

Open Avast and go to the virus chest
Right click the blank area and select add

http://dl.dropbox.com/u/73555776/open%20chest.jpg

Navigate to Adobe installer 11.3

http://dl.dropbox.com/u/73555776/navigate.JPG

Select the file

http://dl.dropbox.com/u/73555776/select.JPG

Right click the file in the chest and select submit to virus labs

http://dl.dropbox.com/u/73555776/add%20submit.JPG

In the additional information box type “virus dropper sirfef”
Once done manually update the virus definitions to send it

NOW TO REMOVE IT

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O4:64bit: - HKLM..\Run: [ocasp] C:\Users\Joe\AppData\Roaming\ocasp.dll () O4:64bit: - HKLM..\Run: [wimrc] rundll32.exe "C:\Users\Joe\AppData\Roaming\wimrc.dll",HrGetStreamPos File not found O36 - AppCertDlls: MASeerpt - (C:\Windows\system32\Deviutil.dll) - File not found O36 - AppCertDlls: mcbupugc - (C:\Windows\system32\Deviutil64.dll) - File not found [2012/08/04 16:24:13 | 000,000,000 | ---D | C] -- C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum [2012/08/04 16:21:04 | 000,437,248 | ---- | C] () -- C:\Users\Joe\AppData\Roaming\ocasp.dll

:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer{001f2297-d9eb-eb10-93be-ee436f965386}
C:\Users\Joe\AppData\Local{001f2297-d9eb-eb10-93be-ee436f965386}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

7

Here is the OTL log. Im not sure it worked though because Avast recognized it as malware. I will wait for your reply before I proceed further just in case I have to run it again with avast turned off.

Thank you,
Joe

8

Proceed with the combofix run please

9

I continued with the combofix and it seemed like it went through but it did not produce a log. I tried doing a search for combofix.txt and it did not find anything.

Also I had to leave for a few hours before doing this. When I returned my browsers: Opera, IE and Firefox were not working. So I had to reboot to connect to the internet. Would this affect the combofix outcome?

What should I do next?

Thank you,
Joe

10
Opera, IE and Firefox were not working. So I had to reboot to connect to the internet.
Was this due to being marked for deletion ?

Is there a log at C:\combofix.txt

If not please run Combofix again please

11

No log and it ran it again and no log…

Okay I think we might have success. I rebooted in safe mode with networking and ran combofix. It went through its process and restarted the computer. We’ll its been 1/2 hr with no pop ups and no avast warnings. I also ran mbam again and it came up clean it appears. Ive attached the mbam log and the otl log.

I still cannot find the combofix log though…

Whats next?

Okay so I decided to run a mbam full scan to make sure and its already detected three objects. I will post that log after the scan is complete.

12

Here is the log of the full mbam log.

13

Just to let you know there is likely to be a short delay, time zone (almost 10:40am in the UK) ping pong, until essexboy is on-line after work later this afternoon.

14

David,

I figured that was happening. No worries I appreciate the help so I dont mind waiting.

Oh and for an update I have had no pop ups and avast has not flagged anything.

15

Good sign that the avast alerts have stopped, looks like the fix has done its stuff, but essexboy will confirm that when he is back on-line.

The detections in your last MBAM log are in the combofix quarantine so aren’t an issue.

16
Files Detected: 4 C:\Qoobox\Quarantine\C\Windows\Installer\{001f2297-d9eb-eb10-93be-ee436f965386}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> No action taken. C:\Qoobox\Quarantine\C\Windows\Installer\{001f2297-d9eb-eb10-93be-ee436f965386}\U\80000032.@.vir (Rootkit.0Access) -> No action taken. C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir (Rootkit.0Access) -> No action taken. E:\_OTL\MovedFiles\08052012_095256\C_Windows\Installer\{001f2297-d9eb-eb10-93be-ee436f965386}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
All in quarantine ;D

Lets check for damage

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

17

Here you go… Hopefully all is good. The only thing I know I lost is Opera but I can do without it.

18

A few repairs to do

Right click the following links and select “Save Target As…” saving to your desktop
https://dl.dropbox.com/u/73555776/mpssvc7.reg
https://dl.dropbox.com/u/73555776/bits.reg
https://dl.dropbox.com/u/73555776/SharedAccess7.reg
For the desktop Right click each reg file in turn and select Merge
Accept the warnings
Reboo and re-run FSS please

19

Here you go…

20

Any outstanding problems ?