AvaSoft Antivirus Professional /backdoor.papras infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by wado66, Mar 29, 2013.

  1. wado66

    wado66 Private E-2

    I followed the instructions in the sticky on the Malware Removal Guide and are attaching the log files.
    I noticed I was infected with the AvaSoft Antivirus Professional trojan and ran Malwarebytes. The computer was still acting slow so I came here and followed the steps in the sticky. Below are my log files.
    Please let me know if I have left anything off.
     

    Attached Files:

    wado66, Mar 29, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below very old versions of software:
    Java(TM) 6 Update 14

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\$Recycle.Bin\S-1-5-18\$ff0588803365b69d169f41c5116d48a3\L
C:\$Recycle.Bin\S-1-5-18\$ff0588803365b69d169f41c5116d48a3\n
C:\$Recycle.Bin\S-1-5-18\$ff0588803365b69d169f41c5116d48a3\U
C:\$Recycle.Bin\S-1-5-18\$ff0588803365b69d169f41c5116d48a3
C:\$Recycle.Bin\S-1-5-21-3293026393-2458109672-1150948656-1000\$ff0588803365b69d169f41c5116d48a3\@
C:\$Recycle.Bin\S-1-5-21-3293026393-2458109672-1150948656-1000\$ff0588803365b69d169f41c5116d48a3\L
C:\$Recycle.Bin\S-1-5-21-3293026393-2458109672-1150948656-1000\$ff0588803365b69d169f41c5116d48a3\n
C:\$Recycle.Bin\S-1-5-21-3293026393-2458109672-1150948656-1000\$ff0588803365b69d169f41c5116d48a3\U
C:\$Recycle.Bin\S-1-5-21-3293026393-2458109672-1150948656-1000\$ff0588803365b69d169f41c5116d48a3
C:\windows\TEMP\*.*
C:\Users\Ronnie\AppData\Local\Temp\*.*

:Reg
[-HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
[-HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{01947140-417F-46B6-8751-A3A2B8345E1A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7473D298-B7BB-4F24-AE82-7E2CE94BB6A9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA9C380-E19A-4436-88F6-02942C31CC9E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAA9C381-E19A-4436-88F6-02942C31CC9E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\s]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F37879D4-9805-4F09-AC88-A09CCDC9583A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FCC4AF13-B7EB-4BDF-A959-1093ECD47DB0}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 1, 2013
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds