Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dropper.BCMiner and Luhe.sirefef.A


  • Please log in to reply
12 replies to this topic

#1 osterlb

osterlb

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 31 July 2012 - 09:14 PM

Apologies if my formating is incorrect, I was referred to this site from reddit.
Earlier today my AVG detected a Luhe.sirefef.A virus1 but could not remove them.
Upon instruction from a thread I created on reddit2 I downloaded and ran Malwarebytes. This programs output3 revealed a Trojan virus. Malwarebytes was able to delete this virus, I then ran a second AVG scan and the Luhe virus was gone. They were in different files according to the pathnames given in each of the outputs. I am confused by this and not certain if I am in the clear as far as the first virus that was detected goes. Again apologies if my formatting is off.

1. http://i.imgur.com/GDPY3.png
2. http://www.reddit.com/r/techsupport/comments/xgpqa/have_luhesirefefa_virus_avg_doesnt_delete_it/
3. http://paste.ubuntu.com/1122493/

Edited by osterlb, 31 July 2012 - 09:14 PM.


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 01 August 2012 - 02:18 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 osterlb

osterlb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 01 August 2012 - 04:31 PM

http://paste.ubuntu.com/1124200/
http://paste.ubuntu.com/1124201/
http://paste.ubuntu.com/1124202/
http://paste.ubuntu.com/1124203/

The links are in the order you asked for. My computer seems to be running fine at the moment. After running combofix I could not start any programs, all of them said that they were tagged for deletion, I then restarted the computer and everything works fine now. Is this normal? Did combofix remove anything?

#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 01 August 2012 - 08:37 PM

Is this normal?

Yep. :)

Did combofix remove anything?

It doesn't appear so, but it looks like the main part of the virus was removed to begin with.

I'd like to get a better look to see if there's anything that may remain:

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by D-FRED-BROWN, 01 August 2012 - 08:37 PM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 osterlb

osterlb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 01 August 2012 - 11:19 PM

http://paste.ubuntu.com/1124655/
http://paste.ubuntu.com/1124657/

#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 01 August 2012 - 11:38 PM

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    [2012/07/31 11:11:57 | 000,092,672 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\U\80000032.@
    [2012/07/31 11:11:45 | 000,080,896 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\U\80000064.@
    [2012/07/31 11:11:45 | 000,000,804 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\L\00000004.@
    [2012/07/31 11:11:39 | 000,016,896 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\U\80000000.@
    [2012/07/31 11:11:39 | 000,001,632 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\U\000000cb.@
    [2012/07/31 11:11:38 | 000,002,048 | ---- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\U\00000004.@
    [2012/01/10 15:16:52 | 000,002,048 | -HS- | C] () -- C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}\@
    
    :Files
    C:\Users\Brandon\AppData\Local\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}
    C:\Windows\Installer\{5b0cdf74-907b-7cfe-b504-5b0886f5d0ef}
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#7 osterlb

osterlb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 02 August 2012 - 01:46 AM

What did this do?

http://paste.ubuntu.com/1124755/

After running this OTL fix Steam gives me this error when starting the program. How would I fix this? I have no compatibility settings enabled.
http://imgur.com/5dFfc
http://imgur.com/oRXBJ

Edited by osterlb, 02 August 2012 - 01:54 AM.


#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 02 August 2012 - 01:37 PM

What did this do?

We removed some of the last pieces of the main infection you had (the ZeroAccess/Sirefef rootkit). :thumbup2:

After running this OTL fix Steam gives me this error when starting the program. How would I fix this? I have no compatibility settings enabled.

Try reinstalling Steam. That should clear up any of those issues.

-----------------

We're nearly in the clear. Let's run an online scan to verify we haven't missed anything:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#9 osterlb

osterlb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 02 August 2012 - 04:45 PM

http://paste.ubuntu.com/1125980/
the log above doesn't seem to be complete.

I got this from the ESET program itself.
http://paste.ubuntu.com/1125988/
Looks like it found 3 in the OTL moved files thing. Is that a good thing?

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 02 August 2012 - 05:04 PM

Yep, it just picked up some items we previously quarantined. I'll show you how to delete those once and for all as we wrap things up.

Your system appears to be clean. :thumbsup:

Please take the time to install the following program updates, as using outdated applications leaves you vulnerable to getting infected again:


Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel and open Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
They will have this icon next to them: Posted Image
Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

---------------

Your Flash Player is out of date!
To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, visit this link: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

---------------

Please let me know how the updates went, as failed updates may indicate additional malware.

Edited by D-FRED-BROWN, 02 August 2012 - 05:05 PM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 osterlb

osterlb
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 02 August 2012 - 05:36 PM

I ran the updates, here is a security check output. Does everything look good as far as updates go?

http://paste.ubuntu.com/1126078/

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 02 August 2012 - 05:58 PM

Looks like the updates went well. :)

Now, I'll provide you some suggestions for security software.

First,
We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:

First, let's remove ComboFix:
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Let's remove OTL as well:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.


It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.
AntiVir
AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available A tutorial on understanding and using firewalls may be found here.


If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:06 PM

Posted 05 August 2012 - 03:42 PM

(bump)

Are you still with me? If your problems still persist, let me know and we'll go about fixing them. :wink:
If not, please let me know so I can close this topic.

-DFB
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users