Win32:Atraps-PF and Win64 virus

Viruses and worms
1

Hi everyone. Yesterday avast started detecting and apparently blocking the win32 atraps and win 64 virus. I’ve scanned it with Malwarebytes and tried to delete it from there but it keeps coming back. I’ve look at other threads on this site with the same problem so here’s hoping this can be fixed. ( and that I’m posting everything I’m suppose to)

My computer is Windows 7 64 bit.

This is the MBAM log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.08.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Annie :: ANNIE-HP [administrator]

Protection: Enabled

7/8/2012 10:45:03 PM
mbam-log-2012-07-08 (22-45-03).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 375160
Time elapsed: 51 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{69a6d848-1e31-5f23-61a8-126a6657c4d7}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

I’ve read that i should scan my computer and post the log from OTL too however, i currently can’t download OTL from their website due to maintence on it so I’ll post that whenever i can later.

In the meantime, is there anything else I can do? Also just a side question, do you guys know that this virus does exactly? Is avast really catching and blocking the virus before it infects the computer or is the repeated pop-ups a sign that the computer is already infected?

Thank you for the help you give to clueless people like me :-[

2
In the meantime, is there anything else I can do?
yes.....also attach aswMBR log

http://forum.avast.com/index.php?topic=53253.0

3

Ok I finshed scanning with OTL. Results are attached.

4

This is the other OTl log.

5

forgot attachment.

:-[ :-[ :-[

6

and here is the aswMBR scan results

7

Hi kora, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If after running combofix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.

Please post back with the combofix log.

Thanks

8

ok heres the combatfix log.

9

Hi kora,

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
C:\Users\Annie\AppData\Local\{69a6d848-1e31-5f23-61a8-126a6657c4d7}\@
c:\windows\SysWow64\shoC9C0.tmp
c:\windows\SysWow64\shoE001.tmp
C:\windows\SysWow64\sho187D.tmp
c:\windows\SysWow64\sho1C01.tmp
c:\windows\SysWow64\sho9809.tmp
c:\windows\SysWow64\sho3737.tmp
c:\windows\SysWow64\shoAFC0.tmp
c:\windows\SysWow64\shoBE54.tmp
c:\windows\SysWow64\shoCB4E.tmp
c:\windows\SysWow64\shoBEEE.tmp

Folder::
c:\windows\Installer\{69a6d848-1e31-5f23-61a8-126a6657c4d7}\L
c:\windows\Installer\{69a6d848-1e31-5f23-61a8-126a6657c4d7}\U
c:\windows\Installer\{69a6d848-1e31-5f23-61a8-126a6657c4d7}
C:\Users\Annie\AppData\Local\{69a6d848-1e31-5f23-61a8-126a6657c4d7}

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the combofix log.

How’s the computer?

10

Ok heres the second combo fix log. Computer seems to be working fine. No more pop ups from avast. Tho a system scan with avast found a infected file. that was before i ran combo fix so i’ll scan again and see if its still there.

11

ok scanned again with avast and malwarebytes. I think the infected files found were the ones I had in avast quarantine. cleared that and nothing showed up. :smiley: :smiley: :smiley: thank you very very much for your help

12

Hi kora,

Your java is out of date.

Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) in the list and double click on it
[*]click the Update tab
[*]Click update now

Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :


:Services

:Commands
[emptytemp]

Then click the Run Fix button at the top

[*]Let the program run unhindered
No need to post the log.

We’ll clean up the tools now.

From your desktop, please delete, if present
[]any notepads/logs that we created
[]aswMBR.exe
[]mbr.zip
[]mbr.dat

Next

Click the Start button. Copy and paste the following line into the search box and hit enter


Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall and install an antivirus program. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

  • Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care