Win32:Downloader-PKU [Trj] & Win32:Malware-gen

system · August 3, 2012, 4:57am

I’m CONSTANTLY getting these messages popup…I’ve done a scan and deleted them and a few more but these apparently keep coming back? Any ideas?

mikaelrask · August 3, 2012, 8:11am

welcome to the forum. i suggest you follow this guide and attach your logs, then a malware expert will help you from there. however it might take some hours so your aware of that.

http://forum.avast.com/index.php?topic=53253.0

mchain · August 3, 2012, 8:11am

Hi Twin4819,

Please have a read here: http://forum.avast.com/index.php?topic=53253.0

Four logs will be produced when you run: Malwarbytes, OTL (two), and aswMBR.exe.

Attach the four logs in your next reply.

Once you have attached the logs, a malware expert will be able to assist you in cleaning your system of these malicious files. These logs will tell the malware expert what is on your system, and where the malicious files are, so cleaning can proceed.

EDIT: I know the popups can be annoying as well as scary, but at least Avast! is doing everything it can to prevent this infection from spreading further.

essexboy · August 3, 2012, 1:24pm

I am currently running one where trend micro is not even blocking the malware

system · August 4, 2012, 5:53am

About to start the scans and things now while I sleep. I also noticed the svchost.exe *32 is bad and its eating up over 1gig of RAM. Is that part of the same popups I am seeing?

system · August 4, 2012, 9:35pm

Ok so I’ve only got 3 logs. One from each program. They have been attached.

essexboy · August 4, 2012, 9:41pm

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files ipconfig /flushdns /c C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{7f423d6b-b830-1d0c-fc6d-dd327d766fda} C:\Windows\System32\config\systemprofile\AppData\Local\{7f423d6b-b830-1d0c-fc6d-dd327d766fda} C:\Windows\Installer\{7f423d6b-b830-1d0c-fc6d-dd327d766fda} sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · August 4, 2012, 11:27pm

Seems to be running smooth again & no popups from AVAST! yet. Internet seems to be back to normal speeds. CPU usage and RAM usage seem normal too. Thanks! Logs are attached.

Is it safe to remove all the downloaded programs and logs I have saved?

mchain · August 5, 2012, 8:24am

When essexboy gives you the all clear, you can. He will post what you need to know.

essexboy · August 5, 2012, 11:37am

You had a two for one there

Re-run TDSSKiller and when this element appears select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

THEN

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

system · August 7, 2012, 6:44am

When I deleted that file, AVAST! popped up saying it blocked a bunch of things from TDSS’s Quarantine. Is that normal? The FSS.txt log is posted below.

Farbar Service Scanner Version: 06-08-2012
Ran by Rebel (administrator) on 07-08-2012 at 01:42:06
Running from “C:\Users\Rebel\Downloads”
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal

Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

Windows Update:

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

essexboy · August 7, 2012, 2:36pm

Aye as TDSSKiller was moving the files Avast detected them…

OK repair time now I feel - on completion of this let me know what problems remain

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

system · August 11, 2012, 6:30pm

Sorry for the late reply. Been out of town.

About to do that stuff and I’ll get back to you. Thanks a TON by the way. 8)

essexboy · August 11, 2012, 6:46pm

OK I may have a solution

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:filefind
qmgr.*

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt