Topic: Win32:Atraps-PF[tjr]

system · July 10, 2012, 2:21pm

Hi,

Avast continue to move this to the chest every five minutes. I would appreciate any help in getting this fix. Here is the logs from the three tools:

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Church Family PC :: CHURCHFAMILYPC [administrator]

Protection: Enabled

7/9/2012 10:17:34 PM
mbam-log-2012-07-09 (22-17-34).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{96641afd-b410-b0ea-012d-f17a2b427bfc}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

links:

https://rapidshare.com/files/2543155607/aswMBR.zip

https://rapidshare.com/files/876629265/OTL.zip

Thank you in advance for any assistance.

magna86 · July 10, 2012, 3:04pm

Please go to control panel > programs and features find and remove/uninstall ASK Toolbar

Then …

Step #1

Please download The Avenger2 by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\windows\Installer\{96641afd-b410-b0ea-012d-f17a2b427bfc}
C:\Users\Church Family PC\AppData\Local\{96641afd-b410-b0ea-012d-f17a2b427bfc}

Files to move:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe|C:\windows\SysNative\services.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

The Avenger will automatically do the following:
[*]It will Restart your computer. ( In some cases twice)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
Please copy/paste the content of c:\avenger.txt into your reply

Step #2

Run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzutAtN2Y1L1QzuyEtDyCtCzzyCzytB0F0B0A0BtAtBtBtAtN0D0TzutBtDtCtBtDyCtCyD&cr=1067342876
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzutAtN2Y1L1QzuyEtDyCtCzzyCzytB0F0B0A0BtAtBtBtAtN0D0TzutBtDtCtBtDyCtCyD&cr=1067342876
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzutAtN2Y1L1QzuyEtDyCtCzzyCzytB0F0B0A0BtAtBtBtAtN0D0TzutBtDtCtBtDyCtCyD&cr=1067342876
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://search.babylon.com/?affID=109935&tt=060612_6_&babsrc=HP_ss&mntrId=ee55322300000000000040618692fbab
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb139?a=6R8yiV2nsc&i=26
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzutAtN2Y1L1QzuyEtDyCtCzzyCzytB0F0B0A0BtAtBtBtAtN0D0TzutBtDtCtBtDyCtCyD&cr=1067342876
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\..\SearchScopes\{65DA7487-A404-420A-A4F6-63A40410D64E}: "URL" = http://start.funmoods.com/results.php?f=4&a=ironto&q={searchTerms}
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\..\SearchScopes\{6A8D4A99-301C-C0D9-E66D-311957808D41}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=060612_6_&babsrc=SP_ss&mntrId=ee55322300000000000040618692fbab
IE - HKU\S-1-5-21-364902139-701895751-1886837833-1001\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6R8yiV2nsc&i=26
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?affID=109935&tt=060612_6_&babsrc=HP_ss&mntrId=ee55322300000000000040618692fbab"
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O33 - MountPoints2\{929e94b7-9610-11e0-8661-40618692fbab}\Shell\AutoRun\command - "" = C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL J:\TL-Bootstrap.exe
[3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\windows\SysWow64\*.tmp files -> C:\windows\SysWow64\*.tmp -> ]



:files
C:\Program Files (x86)\MyWebSearch
C:\Users\Church Family PC\AppData\Roaming\Mozilla\Firefox\Profiles\x0vt7vkx.default\extensions\ffxtlbr@babylon.com
C:\Users\Church Family PC\AppData\Roaming\Mozilla\Firefox\Profiles\x0vt7vkx.default\extensions\ffxtlbr@incredibar.com
C:\Users\Church Family PC\AppData\Roaming\Mozilla\Firefox\Profiles\x0vt7vkx.default\extensions\toolbar@ask.com
C:\Users\Church Family PC\AppData\Roaming\Mozilla\Firefox\Profiles\x0vt7vkx.default\searchplugins\MyStart Search.xml
C:\Users\Church Family PC\AppData\Roaming\Mozilla\Firefox\Profiles\x0vt7vkx.default\searchplugins\mywebsearch.xml

:commands
[emptytemp]
[reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system. OTL will open notepad with logreport. Copy-paste here logreport…

Step #3

Re-run aswMBR and Malwarebytes. Attach here fresh mbam log report and tell me how is your computer running now?

system · July 10, 2012, 4:43pm

Thank you very much for the lighting reply. I was looking for the “Ask Toolbar” to be uninstalled and it is not listed. Is it o.k. to proceed to step one?

Thanks

magna86 · July 10, 2012, 7:59pm

Its Ok. Go hit it.

system · July 10, 2012, 11:11pm

Hi,

I ran the avenger and it rebooted the system. I log into the computer to find the file log, but I can not locate it. Please advice.

Thanks,

magna86 · July 10, 2012, 11:28pm

Avenger log? Chech on system root partitions.

C:\avenger.txt

If avenger log is not there, then do it Step 2 and then additional Step3.

As Step 3

Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.

[*] Paste this into Custom Scan box at the bottom


netsvcs 
drives
%SYSTEMDRIVE%\*.exe 
/md5start
services.*
/md5stop
CREATERESTOREPOINT

[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*] Please attach them in this thread.

system · July 11, 2012, 9:16am

Hi,

Here are the logs after re running aswMBR, OTL and Malwarebyte. I noticed a little difference in the speed, but my avast still detects a Trojan which it moves to the chest every five minutes. Let me know if I am doing something wrong. Thank you in advance for taking the time to help.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.10.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Church Family PC :: CHURCHFAMILYPC [administrator]

Protection: Enabled

7/10/2012 11:10:23 PM
mbam-log-2012-07-10 (23-10-23).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{96641afd-b410-b0ea-012d-f17a2b427bfc}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

https://rapidshare.com/files/3367540029/OTL (2).zip

https://rapidshare.com/files/2442017543/aswMBR (2).zip

magna86 · July 11, 2012, 9:46am

Hmm … judging by the Malwarebytes logs malware is still active. :-
For some reason my script did not do their job.

Please do not upload your logs on rapidshare! Attach them here. ( Attachments and other options )

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

system · July 11, 2012, 10:32am

Hi,

I do not know if I am doing something wrong, but it seems that I can not find the log. I copied and paste the info into the search and it still do not produce a log. This is the same with the Avenger tool. It only took about three minutes for the program to run and it was done. I will kepp looking to see if I can find that log, but if you have any suggestions of where and how to locate it I would greatly appreciate it.

Thanks,

magna86 · July 11, 2012, 12:05pm

Hmm…start > run

notepad C:\ComboFix.txt

Enter. Notepad will open. Attach here Combofix log.

If it open an empty notepad:

Delete Combofix and download a fresh one.

Run COmbofix from safe mode as before.

system · July 11, 2012, 4:45pm

Hi,

I found that file log. Thank you.

magna86 · July 11, 2012, 5:38pm

Since the CFScript.txt too long to be copied to the forum, I attached in the message.

Download this CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

system · July 11, 2012, 7:06pm

Hi,

Here it the log that I just ran per your instructions.

Thanks,

magna86 · July 11, 2012, 10:32pm

Open notepad and copy/paste the text present inside the code box below:


File::
c:\windows\SysWow64\drivers\fdmbxci.sys
c:\windows\SysWow64\drivers\wrnccd.sys
c:\windows\SysWow64\drivers\mael.sys
c:\windows\SysWow64\drivers\wrgzsw.sys
c:\windows\SysWow64\drivers\lcfhbe.sys

Snapshot:: 

DirLook::
c:\windows\SysWow64\%APPDATA%

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:0f,91,f5,1d,75,4d,cd,01

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

system · July 12, 2012, 4:31am

Here is the log I ran with the new CFScript.txt.

magna86 · July 12, 2012, 10:40am

I recommend that you uninstall LimeWire
c:\program files (x86)\LimeWire

Open notepad and copy/paste the text present inside the code box below:


SkipFix::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

How is your computer running now?

Topic: Win32:Atraps-PF[tjr]

Announcements