Win32:Atraps-PF ! HELP!

Viruses and worms
1

Avast keeps moving win32:atraps-pf to the chest every few minutes. Ran Mbam, log says successfully removed but it’s still there. Help?
Mbam Log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.05

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Marissa :: MARISSA-PC [administrator]

Protection: Enabled

6/29/2012 3:57:02 AM
mbam-log-2012-06-29 (03-57-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211939
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Marissa\AppData\Local\Temp\140993.Uninstall\Uninstall.exe (PUP.Adware.InstallCore) → Quarantined and deleted successfully.
C:\Users\Marissa\AppData\Local\Temp\is1293846689\IWantThisAD_US.exe (Adware.GamePlayLabs) → Quarantined and deleted successfully.
C:\Users\Marissa\Downloads\ADLSoft_UnCompressor.exe (PUP.Adware.InstallCore) → Quarantined and deleted successfully.
C:\Windows\Installer{9c374914-9016-4b9b-c068-d105409e58e0}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

2

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

3

Thanks, MBAM log is included in first post. OTL logs are attached. and aswMBR log is below

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-29 05:25:51

05:25:51.725 OS Version: Windows x64 6.1.7600
05:25:51.726 Number of processors: 4 586 0x2A07
05:25:51.729 ComputerName: MARISSA-PC UserName: Marissa
05:25:53.628 Initialize success
05:25:53.841 AVAST engine defs: 12062900
05:25:56.249 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
05:25:56.253 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
05:25:56.294 Disk 0 MBR read successfully
05:25:56.298 Disk 0 MBR scan
05:25:56.304 Disk 0 Windows 7 default MBR code
05:25:56.329 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15360 MB offset 2048
05:25:56.361 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 31459328
05:25:56.383 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461478 MB offset 31664128
05:25:56.431 Disk 0 scanning C:\Windows\system32\drivers
05:26:11.746 Service scanning
05:26:37.985 Modules scanning
05:26:38.003 Disk 0 trace - called modules:
05:26:38.039 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
05:26:38.053 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006904060]
05:26:38.063 3 CLASSPNP.SYS[fffff8800120143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004a91050]
05:26:39.350 AVAST engine scan C:\Windows
05:26:52.435 AVAST engine scan C:\Windows\system32
05:27:45.828 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
05:28:05.620 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
05:28:07.484 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
05:29:07.912 AVAST engine scan C:\Windows\system32\drivers
05:29:18.600 AVAST engine scan C:\Users\Marissa
07:05:29.361 AVAST engine scan C:\ProgramData
08:06:25.770 Scan finished successfully
13:54:01.762 Disk 0 MBR has been saved successfully to “C:\Users\Marissa\Documents\MBR.dat”
13:54:01.776 The log file has been saved successfully to “C:\Users\Marissa\Documents\aswMBR.txt1.txt”

4

Additional info:
file that keeps getting caught by avast is C:\Windows\Installer{9c374914-9016-4b9b-c068-d105409e58e0}\U\00000008.@ (Trojan.Dropper.BCMiner)

5

Stuff like this C:\Windows\Installer{9c374914-9016-4b9b-c068-d105409e58e0}[b]U\00000008.@ /b, The bold text is usually an indication of an underlying rootkit. This is also picked up in the aswMBR avast scan.

05:27:45.828 File: C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj] 05:28:05.620 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 05:28:07.484 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]

I believe it is these which are responsible for the other alerts as they try to initiate more malware.

Whilst it is a pain getting the avast alerts like this, it is preventing further infection.

Unfortunately this does need a malware removal specialist (not me) to analyse the OTL logs essexboy who is most active on this will be in bed (2:42a.m. here in the UK and I’m about to call it a night also). So it may be a bit of time unless another specialist from a time zone closer to yours can continue with this.

Sorry I can’t be of more practical help.

6

Thanks DavidR,
Hopefully I’ll get some help soon.

7

This should cure it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-3270222126-2588381078-2510154656-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\Windows\Installer{9c374914-9016-4b9b-c068-d105409e58e0}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

8

EssexBoy,

I am in a very similar situation. I was wondering if this fix or a slight variation of this fix would help me as well? Attached is my OTL log, and below are the MBAM and aswMBR logs.

MBAM;

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Shay :: ALICE [administrator]

6/29/2012 7:01:07 PM
mbam-log-2012-06-29 (19-01-07).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 395852
Time elapsed: 1 hour(s), 43 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Shay\Desktop\finished\memory card full\Programs\Office 2010 Toolkit\Net_Framework 3.5_Update.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\Shay\Desktop\finished\memory card full\Programs\VideoPad.Video.Editor.Pro.2.40_2\NCH Software - VideoPad 3.22 - KeYGeN_IMPosTOR.exe (RiskWare.Tool.CK) → Quarantined and deleted successfully.
C:\Windows\Installer{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

aswMBR log;

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-30 12:57:21

12:57:21.384 OS Version: Windows x64 6.1.7601 Service Pack 1
12:57:21.384 Number of processors: 2 586 0x603
12:57:21.387 ComputerName: ALICE UserName: Shay
12:57:23.751 Initialize success
12:57:23.883 AVAST engine defs: 12063000
12:57:28.422 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000068
12:57:28.426 Disk 0 Vendor: Hitachi_ JE3O Size: 476940MB BusType: 11
12:57:28.448 Disk 0 MBR read successfully
12:57:28.454 Disk 0 MBR scan
12:57:28.461 Disk 0 Windows 7 default MBR code
12:57:28.478 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
12:57:28.493 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 463010 MB offset 409600
12:57:28.539 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13626 MB offset 948654080
12:57:28.567 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
12:57:28.677 Disk 0 scanning C:\Windows\system32\drivers
12:57:49.550 Service scanning
12:58:22.192 Modules scanning
12:58:22.211 Disk 0 trace - called modules:
12:58:22.249 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
12:58:22.262 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80042ee060]
12:58:22.275 3 CLASSPNP.SYS[fffff8800180143f] → nt!IofCallDriver → [0xfffffa8004279ac0]
12:58:22.288 5 amd_xata.sys[fffff88001080900] → nt!IofCallDriver → \Device\00000068[0xfffffa80042754a0]
12:58:24.422 AVAST engine scan C:\Windows
12:58:45.223 AVAST engine scan C:\Windows\system32
13:00:51.506 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
13:01:21.971 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
13:01:24.433 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
13:02:53.782 AVAST engine scan C:\Windows\system32\drivers
13:03:08.328 AVAST engine scan C:\Users\Shay
13:41:21.301 AVAST engine scan C:\ProgramData
13:48:16.115 Scan finished successfully
14:06:04.328 Disk 0 MBR has been saved successfully to “C:\Users\Shay\Desktop\MBR.dat”
14:06:04.343 The log file has been saved successfully to “C:\Users\Shay\Desktop\aswMBR.txt”

Thanks for any advice you an give me as well. You’re doing a great thing, thank you!

9

@ Shaneps86
Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum (click the New topic button at the top of the page see image) and we will try and help you there.

Fixes are unique to the users system as mentioned above every fix.

10

@Shaneps86 A topic for you has been started here

http://forum.avast.com/index.php?topic=100400.new#new

11

Thanks @essexboy,
I did as you suggested.The logs are attached below. I have just enabled avast antivirus and am waiting to see if the problem persists. So far, so good.

12

Could you post the combofix log please it should be at C:\combofix.txt

13

@essexboy,
Sorry :), Thought you wanted log. Combofix.txt is attached.

14
Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
Thats the main bad boy dead ;D

How is the computer now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=109935&babsrc=HP_ss&mntrId=d43cc1fc0000000000009a9ffa934aae IE - HKCU\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found IE - HKCU\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&babsrc=SP_ss&mntrId=d43cc1fc0000000000009a9ffa934aae FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" [2012/02/03 13:14:43 | 000,002,313 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml [2012/02/03 13:14:34 | 000,000,000 | ---D | M] -- C:\Users\Marissa\AppData\Roaming\Babylon

:Files
ipconfig /flushdns /c
c:\user.js

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

15

@essexboy,
i haven’t seen anymore avast warnings so it seems to be working fine. OTL log is attached.

16

Nice, if all is well tomorrow let me know and I will tidy up

17

Thank you so much!!! Really glad you were able to help. Those warnings were driving me crazy.

18

@essexboy,

I haven’t seen the avast notices all day so I guess that mean success. Is there anything else I need to do?

19

Essexboy will probably give you information on how to remove the tools he used and general advice on your system. But with the time zone differences (13:02 in the UK now) it may be a little time.

20

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: