Sirefef, Atraps, and Malware Gen

My Avast keeps alerting me that a trojan was blocked. The threats are Win32:Malware-gen, Win64:Sirefef-A, and Win32:Atraps-PF. I ran MBAM and let it fix and reboot but it has still not been removed.

MBAM log

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.11.09

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Phillip :: PHILLIP-LAPTOP [administrator]

Protection: Enabled

7/11/2012 3:09:58 PM
mbam-log-2012-07-11 (15-09-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196490
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\Phillip\AppData\Local{a2f23dd1-268f-918f-f010-2b188ad7f065}\n. → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) → Quarantined and deleted successfully.
C:\Windows\Installer{a2f23dd1-268f-918f-f010-2b188ad7f065}\U\00000004.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{a2f23dd1-268f-918f-f010-2b188ad7f065}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

aswMBR log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-11 15:48:34

15:48:34.660 OS Version: Windows 6.1.7601 Service Pack 1
15:48:34.660 Number of processors: 1 586 0xF06
15:48:34.660 ComputerName: PHILLIP-LAPTOP UserName: Phillip
15:48:36.128 Initialize success
15:48:36.285 AVAST engine defs: 12071102
15:48:56.127 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
15:48:56.127 Disk 0 Vendor: Hitachi_HTS541680J9SA00 SB2OC7DP Size: 76319MB BusType: 3
15:48:56.190 Disk 0 MBR read successfully
15:48:56.190 Disk 0 MBR scan
15:48:56.190 Disk 0 Windows 7 default MBR code
15:48:56.221 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
15:48:56.237 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 74818 MB offset 3074048
15:48:56.268 Disk 0 scanning sectors +156301312
15:48:56.376 Disk 0 scanning C:\Windows\system32\drivers
15:49:07.908 Service scanning
15:49:38.515 Modules scanning
15:49:55.770 Disk 0 trace - called modules:
15:49:55.801 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
15:49:56.333 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85748528]
15:49:56.333 3 CLASSPNP.SYS[8860459e] → nt!IofCallDriver → [0x85691918]
15:49:56.348 5 ACPI.sys[882c03d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x849c9908]
15:49:57.129 AVAST engine scan C:\Windows
15:49:58.820 AVAST engine scan C:\Windows\system32
15:52:50.336 AVAST engine scan C:\Windows\system32\drivers
15:53:04.101 AVAST engine scan C:\Users\Phillip
16:01:13.428 AVAST engine scan C:\ProgramData
16:01:33.514 Scan finished successfully
16:02:04.096 Disk 0 MBR has been saved successfully to “C:\Users\Phillip\Desktop\MBR.dat”
16:02:04.112 The log file has been saved successfully to “C:\Users\Phillip\Desktop\aswMBR.txt”

Hi pplank,

Since you have a rootkit infection, suggest also attaching the aswMBR log. Do not attempt to fix at this time. Just attach the resulting log in your next reply.

EDIT: Seems you beat me to the punch. Wait for a malware expert to assist you. Do not run/fix any other programs unless requested to.

Ok, Thank you.

Any ideas anyone?

I will be back soon when I review your logs…

OK, thank you very much.

Step1

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKU\S-1-5-21-3706290843-3886155697-2542051843-1002\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms}

:files
C:\Windows\Installer\{a2f23dd1-268f-918f-f010-2b188ad7f065}
C:\Users\Phillip\AppData\Local\{a2f23dd1-268f-918f-f010-2b188ad7f065}

:Commands
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot when it is done and it will open notepad with logreport. Attach logreport here.[/list]

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Step3

[*] Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.

[*] Click on Minimal Output at the top

[*] Paste this into Custom Scan box at the bottom

drives 
CREATERESTOREPOINT 
%SYSTEMDRIVE%\*.*
/md5start
svchost.*
7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.*
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
/md5stop

[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[list]
[*] When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.

[*] Please attach them in this thread.

Any idea on how long the combo fix should run? It has been running for 30 minutes now and it is only saying “scanning for infected files… This typically doesn’t take more than 10 minutes. However, scan times for badly infected machines may easily double”. The activity light on my laptop isn’t showing anything either. It is almost like it has locked up. I have avast antivirus and it was disabled per the post above.

Wait a little longer,be patient. Wait an hour if need be.

If Combofix not skip stages ( 1 - 50 ), restart the computer, download fresh COmbofix and run in safe mode.

Do not touch the computer or mouseclick combofix’s window nor run any program while Combofix is running!!!

Hi all, I’m having issues with win32 atrap and win64sirefef. I’ve ran malware bytes anit-malware Ive gotten no where Avast is still popping up every 5 mins saying my pc is infected. someone please help…

@Dean32

Open new topic and follow this guide:
http://forum.avast.com/index.php?topic=53253.0

We do not wish to interfere more cases in one topic;)

Ok

Sorry you guys. Didn’t mean to be intrusive.

Dan, attach those logs in new topic and someone will look those for you. If none, i will :wink:

This topic belongs to pplank. :wink:

I realized that I had recently updated to windows seven and that there wasn’t much on my computer so I decided to just do a full wipe and restore. I never could get the combofix to run, even in safe mode. Thanks for your help.

OK, so you know do not make any changes wile cleaning is in progress because then you disrupt logs.
System Restore will not remove the malware anyway. :wink:

I would really like to try to get Combfix log. :-
Try this. If this does not run Combofix, go to Step3.

  • Delete Combofix.

  • Download fresh Combofix and save to your Desktop

  • Reboot system in safe mode

  • Start > Run

"%userprofile%\desktop\ComboFix.exe" /KillAll /nombr /StepDel

Enter

Note!
Count that Combofix scan longer than usual. It can happen that the system is restarted several times. Allow him to do it.
Do not touch the computer or mouseclick combofix’s window or run any program while Combofix is running!!!

…if all fails, skip Step2 and go to Step3