\Windows\Installer virus trojan cannot remove

Viruses and worms
1

Hi everyone,

I’m new to this forum, but I’ve been around computers my whole life. I don’t claim to know everything, and that is why I am asking for help. I found a thread on this forum with instructions for including log information for this file and I hope that I have included everything needed. I would reformat with Win7, but this computer is used at an architecture firm and software/licensing is a royal pain.

I have scanned the PC multiple times with Malwarebytes as well as Avast boot-time scan. However, Avast continues to popup saying that it is blocking a trojan that is located in the C:\Windows\Installer{8ba5ea…

Thanks in advance for any advice or help! :slight_smile:

Jeremy

This particular PC is built as follows:
AMD Phenom II x2 555 Processor 3.21GHz
Asus mobo
4GB Ram
Windows 7 Professional 32-Bit OEM

HERE ARE THE LOGS:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Sheila :: SHEILA-PC [administrator]

7/25/2012 4:25:40 AM
mbam-log-2012-07-25 (04-25-40).txt

Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 261087
Time elapsed: 22 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz39B.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz4918.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz532B.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz7532.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz9990.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzB640.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzBCD2.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzE427.tmp (Trojan.Sirefef) → Quarantined and deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzF1C1.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.

(end)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 13:50:33

13:50:33.987 OS Version: Windows 6.1.7601 Service Pack 1
13:50:33.987 Number of processors: 2 586 0x403
13:50:33.987 ComputerName: ******-PC UserName: Sheila
13:50:35.422 Initialize success
13:50:36.031 AVAST engine defs: 12072500
13:50:53.846 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000064
13:50:53.846 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 3
13:50:53.862 Disk 0 MBR read successfully
13:50:53.862 Disk 0 MBR scan
13:50:53.862 Disk 0 Windows 7 default MBR code
13:50:53.862 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
13:50:53.893 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
13:50:53.893 Disk 0 scanning sectors +1953521664
13:50:53.940 Disk 0 scanning C:\Windows\system32\drivers
13:51:01.350 Service scanning
13:51:12.301 Modules scanning
13:51:15.514 Disk 0 trace - called modules:
13:51:15.530 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
13:51:16.029 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85dd8030]
13:51:16.029 3 CLASSPNP.SYS[8a3c659e] → nt!IofCallDriver → [0x84e1ab40]
13:51:16.029 5 ACPI.sys[8a43b3d4] → nt!IofCallDriver → \Device\00000064[0x856f0030]
13:51:16.887 AVAST engine scan C:\Windows
13:51:18.853 AVAST engine scan C:\Windows\system32
13:52:21.019 File: C:\Windows\assembly\GAC\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
13:52:38.179 AVAST engine scan C:\Windows\system32\drivers
13:52:44.996 AVAST engine scan C:\Users\Sheila
13:54:30.207 Disk 0 MBR has been saved successfully to “C:\Users\Sheila\Desktop\Virus Logs\MBR.dat”
13:54:30.222 The log file has been saved successfully to “C:\Users\Sheila\Desktop\Virus Logs\aswMBR.txt”

I have attached the OTL log. Thanks again!

2

Here are the attachments. It would not let me attach them to the original post for some reason.

3

If you can attach the OTL extras.txt also.

A malware removal specialist has been informed of your topic.

4

Per your request.

5

I am heading out on a service call for an hour or so. If you need any screenshots, etc. let me know.

Thanks

6

Thanks, it shouldn’t be too long for a specialist to check your logs. Hopefully when you get back there should be some fixes for you.

7

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL [2012/07/23 10:04:24 | 000,000,000 | ---D | C] -- C:\ProgramData\036E1BAD030A30E6EBF63876F875EF7E [3 C:\Windows\Installer\{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\*.tmp files -> C:\Windows\Installer\{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\*.tmp -> ]

:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}
C:\Users\Sheila\AppData\Local{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

8

Ok, I’ve ran both fixes exactly how you listed them. So far the PC seems to be running fine & fully functional. I have attached both logs per your request.

On a side note, ComboFix said that I had Avast Antivirus & Avast Antispyware running when it first started to scan even though I had disabled it in the Taskbar. I also went into services.msc & ‘stopped’ the Avast service from running. I thoroughly checked and there were no instances of Avast running in applications, processes, or services. It did allow me to continue, but warned that they were still running. Just an FYI for future reference.

Thanks for the help!

Begin Logs

All processes killed
========== OTL ==========
Folder C:\ProgramData\036E1BAD030A30E6EBF63876F875EF7E\ not found.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz1548.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz176B.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz1AB.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz1B2E.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz217.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz2347.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz27C2.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz2B20.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz2BE.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz2BF3.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz360F.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz421F.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz5223.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz53B.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz5F99.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz601B.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz621C.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz6DAD.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trz9508.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzA73F.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzAAE4.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzBA22.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzBE4E.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzC472.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzD21.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzD254.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzD56A.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzD775.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzECDE.tmp deleted successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U\trzF6A7.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sheila\Downloads\cmd.bat deleted successfully.
C:\Users\Sheila\Downloads\cmd.txt deleted successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U folder moved successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\L folder moved successfully.
C:\Windows\Installer{8ba5ea61-e71e-260f-3356-ff8fd764f6a3} folder moved successfully.
C:\Users\Sheila\AppData\Local{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\U folder moved successfully.
C:\Users\Sheila\AppData\Local{8ba5ea61-e71e-260f-3356-ff8fd764f6a3}\L folder moved successfully.
C:\Users\Sheila\AppData\Local{8ba5ea61-e71e-260f-3356-ff8fd764f6a3} folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Sheila
->Temp folder emptied: 3780755 bytes
->Temporary Internet Files folder emptied: 26163274 bytes
->Java cache emptied: 3739638 bytes
->Google Chrome cache emptied: 26462149 bytes
->Flash cache emptied: 647 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22478871 bytes
RecycleBin emptied: 71072 bytes

Total Files Cleaned = 79.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.54.1 log created on 07252012_155402

Files\Folders moved on Reboot…
C:\Users\Sheila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Sheila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8J61RF4Y\index[6].htm moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\hlktmp scheduled to be moved on reboot.
C:\Windows\temp~DF8002777409A443B3.TMP moved successfully.

PendingFileRenameOperations files…
File C:\Users\Sheila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found!
File C:\Users\Sheila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8J61RF4Y\index[6].htm not found!
[2012/07/25 16:05:33 | 000,000,000 | ---- | M] () C:\Windows\temp_avast_\Webshlock.txt : Unable to obtain MD5
[2012/07/25 16:05:21 | 008,405,015 | ---- | M] () C:\Windows\temp\hlktmp : Unable to obtain MD5
File C:\Windows\temp~DF8002777409A443B3.TMP not found!

Registry entries deleted on Reboot…

Both logs are also attached as ANSI files also

9

ComboFix log exceeds maximum 1000 character count. It is attached above as an ANSI file.

10

How is the computer behaving now ?

11

So far so good

12

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: