Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected, mcaffe says zeroaccess rootkit mwb saysTrojan.Dropper.BCMiner


  • Please log in to reply
27 replies to this topic

#16 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 03:48 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-29 16:41:55
-----------------------------
16:41:55.546 OS Version: Windows x64 6.1.7600
16:41:55.546 Number of processors: 4 586 0x2505
16:41:55.546 ComputerName: TONY-PC UserName: tony
16:41:58.011 Initialize success
16:42:04.765 AVAST engine defs: 12062901
16:42:06.325 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:42:06.341 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
16:42:06.357 Disk 0 MBR read successfully
16:42:06.357 Disk 0 MBR scan
16:42:06.357 Disk 0 Windows 7 default MBR code
16:42:06.372 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
16:42:06.388 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
16:42:06.403 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462502 MB offset 29566976
16:42:06.435 Disk 0 scanning C:\Windows\system32\drivers
16:42:14.841 Service scanning
16:42:34.076 Modules scanning
16:42:34.091 Disk 0 trace - called modules:
16:42:34.091
16:42:37.570 AVAST engine scan C:\Windows
16:42:40.877 AVAST engine scan C:\Windows\system32
16:43:58.991 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
16:44:00.411 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
16:45:08.257 AVAST engine scan C:\Windows\system32\drivers
16:45:19.988 AVAST engine scan C:\Users\tony
16:46:52.137 AVAST engine scan C:\ProgramData
16:47:40.607 File: C:\ProgramData\Windows Codecs\MediaShellOverlays.dll **INFECTED** Win32:Dropper-gen [Drp]
16:47:40.607 Scan finished successfully
16:47:51.402 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
16:47:51.402 The log file has been saved successfully to "C:\aswMBR1.txt"

BC AdBot (Login to Remove)

 


#17 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:42 AM

Posted 29 June 2012 - 04:05 PM

Download

avenger

Extract and launch it,click ok

Copy this script in the BOX

Files to delete:
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini
C:\ProgramData\Windows Codecs\MediaShellOverlays.dll

Click on execute,click YES if it asks for reboot

Post the new aswmbr log after reboot

#18 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 04:35 PM

log after reboot


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-29 17:16:35
-----------------------------
17:16:35.722 OS Version: Windows x64 6.1.7600
17:16:35.722 Number of processors: 4 586 0x2505
17:16:35.722 ComputerName: TONY-PC UserName: tony
17:16:37.313 Initialize success
17:16:44.536 AVAST engine defs: 12062901
17:16:46.049 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:16:46.049 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
17:16:46.065 Disk 0 MBR read successfully
17:16:46.080 Disk 0 MBR scan
17:16:46.080 Disk 0 Windows 7 default MBR code
17:16:46.096 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
17:16:46.111 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
17:16:46.127 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462502 MB offset 29566976
17:16:46.158 Disk 0 scanning C:\Windows\system32\drivers
17:16:54.036 Service scanning
17:17:15.299 Modules scanning
17:17:15.299 Disk 0 trace - called modules:
17:17:15.330 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:17:15.845 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800a172060]
17:17:15.845 3 CLASSPNP.SYS[fffff88001a1743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80080a2050]
17:17:17.857 AVAST engine scan C:\Windows
17:17:20.775 AVAST engine scan C:\Windows\system32
17:19:50.825 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:19:52.807 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:24:37.257 AVAST engine scan C:\Windows\system32\drivers
17:25:13.215 AVAST engine scan C:\Users\tony
17:29:56.353 AVAST engine scan C:\ProgramData
17:34:52.474 File: C:\ProgramData\Windows Codecs\MediaShellOverlays.dll **INFECTED** Win32:Dropper-gen [Drp]
17:34:52.490 Scan finished successfully
17:35:03.301 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
17:35:03.316 The log file has been saved successfully to "C:\aswMBR3.txt"

#19 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:42 AM

Posted 29 June 2012 - 06:33 PM

.

Edited by narenxp, 29 June 2012 - 07:40 PM.


#20 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 06:47 PM

yeah il try it again if you say so though

#21 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 06:56 PM

i tryed it again just incase and its all still there same results

#22 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:42 AM

Posted 29 June 2012 - 07:05 PM

Click on startmenu and type

cmd

right click on it and select run as administrator and run these commands

cd c:\windows\assembly
attrib -s -h -r desktop.ini
ren desktop.ini desktop.ini.old


Now launch malwarebytes,click on MORE TOOLS

Click on RUN TOOL

Browse to C:\windows\assembly\GAC_32 & C:\windows\assembly\GAC_64

delete the desktop.ini files ,re run aswmbr and post the new log

#23 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 07:28 PM

it says file not found when i try to run the commands

#24 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:42 AM

Posted 29 June 2012 - 07:40 PM

EDIT:

We need advanced tools to remove this one

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

Edited by narenxp, 29 June 2012 - 07:42 PM.


#25 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 07:48 PM

same aswmbr log after the reboot

#26 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:42 AM

Posted 29 June 2012 - 09:12 PM

Please follow my previous instructions :thumbup2:

#27 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:42 AM

Posted 29 June 2012 - 09:15 PM

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#28 brokedickfountain

brokedickfountain
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 29 June 2012 - 09:48 PM

ok i posted the logs in the other thread, thanks :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users