Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Trojan Pakes.ELE


  • Please log in to reply
No replies to this topic

#1 johntyler

johntyler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 13 January 2010 - 08:36 AM

I've tried looking for solutions and used a previous thread on this board to sort some other problems. Now come up against one that I can't solve!

On 11 Jan. AVG isolated Win32\Cryptor, but more AVG pop-ups appeared on 12th. When commanded to send virus to the vault the pop-up closed, but no log appeared in the vault. The pop-ups continued several per hour.

I ran mban to successfully get rid of a dozen infections of various types. Log below of quick scan.

Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/01/2010 10:46:11
mbam-log-2010-01-12 (10-46-11).txt

Scan type: Quick Scan
Objects scanned: 107571
Time elapsed: 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\JOHN\downloads\erpsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\System32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.

Log below of follow-up full scan.

Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/01/2010 13:37:47
mbam-log-2010-01-12 (13-37-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 271146
Time elapsed: 1 hour(s), 8 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Following this, Pake.ELE appeared in AVG pop-ups, up to 12 per hour. Sent to vault, but do not appear in the actual vault in main programme.

I downloaded (and updated) ATFCleaner and SAS; rebooted into safe mode; ran ATF and then SAS.

SAS quarantined one object 'Unclassified:Unknown Origin'

Pake.ELE keeps appearing in AVG popups. I also find that Google is redirected (browsing in Firefox).

Any suggestions? I stand back in awe of some of you guys! How the heck do you k now what to do with all these problems?! Thanks in advance.

John

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users