Hello everyone,

I recently started getting popups from avast saying it’s blocking files under C:\windows\installer, Win32:malware-gen and Win32:downloader-PKU; the process affected is always C:\windows\system32\services.exe. I’d appreciate any help you could give me.

Here’s the malware bytes log

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mangus :: MANGUS-PC [administrator]

01/08/2012 10:57:46
mbam-log-2012-08-01 (10-57-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210969
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{23302744-5b41-341c-b82d-4ff14097733b}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

Here are the other logs.

Hello

Step1

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O33 - MountPoints2\{eeb75fc7-e741-11e0-a82c-002522b6ee79}\Shell - "" = AutoRun
O33 - MountPoints2\{eeb75fc7-e741-11e0-a82c-002522b6ee79}\Shell\AutoRun\command - "" = G:\AutoRun.exe

:files
C:\Windows\Installer\{23302744-5b41-341c-b82d-4ff14097733b}
ipconfig /flushdns /c

:commands
[emptytemp]
[CREATERESTOREPOINT]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Hello Argus, many thanks for the very speedy response. I ran OTL, pasted the code you provided and ran the fix. It restarted the computer and had me choose my account at the log on screen (the choice was between my account and a blank “other account”); this usually doesn’t happen because only I have an account on this system. It also did not start when the desktop loaded, and didn’t produce any logreport. I held off on the second step you wrote down, since I wanted to make sure I did everything right. Please advise.

Run ComboFix, malware is still on the system

Ok, I ran combofix successfully and the popups so far seem to be gone. The log is attached.

Open notepad and copy/paste the text present inside the code box below:

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

FCOPY:: 
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll|c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll|c:\windows\SysWOW64\user32.dll

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Alright, done.

Excellent any problems?

Everything seems to be working great so far. Thank you so much for your help, you are awesome!

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Run OTL and hit the cleanup button.

Done, everything is looking good. Thanks again for all your time and help!