Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware in Microsoft\Secure\Icons


  • Please log in to reply
2 replies to this topic

#1 durrydurry

durrydurry

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 October 2014 - 08:45 PM

Toshiba Satellite running Win7, Home Premium

 

Emsisoft (and only Emsisoft...I have paid version of Malwarebytes, too, but it doesn't even pick up this Trojan on a scan) repeatedly blocks attempts by varient tmpXXXX.exe files to connect to remote servers. It generates a new tmp file each time with a different 3 or 4 alphanumeric string.

 

Here is the log...

 

C:\ProgramData\Microsoft\Secure\Icons\temp\tmpD0A3.exe detected: Behavior.TrojanDownloader
1    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp46EE.exe detected: Gen:Variant.Graftor.158181 ( B)
2    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp4435.exe detected: Behavior.HiddenInstallation
3    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp9D26.exe detected: Behavior.CodeInjector
4    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp49AD.exe detected: Behavior.CodeInjector
5    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpD3A6.exe detected: Bad reputation
6    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp13B5.exe detected: Bad reputation
7    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp9521.exe detected: Gen:Variant.Strictor.65672 ( B)
8    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpF3E.exe detected: Trojan.GenericKD.1899162 ( B)
9    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpDD15.exe detected: Gen:Variant.Strictor.65765 ( B)
10   C:\ProgramData\Microsoft\Secure\Icons\temp\tmp36EB.exe detected: Behavior.CodeInjector
11   C:\ProgramData\Microsoft\Secure\Icons\temp\tmpCE58.exe detected: Trojan.Agent.BFVR ( B)
12   C:\ProgramData\Microsoft\Secure\Icons\temp\tmp7FF6.exe detected: Trojan.Agent.BFSG ( B)
 
Emsisoft did find this Trojan once and quarantined it. Now it won't find it again on a full scan but does keep blocking it when it tries to 'phone home'.
 
Rootkit programs don't find it, either.
 
Anyone know how to permanently delete this?

Edited by hamluis, 06 October 2014 - 08:46 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 wes104

wes104

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 06 November 2014 - 02:15 PM

 

Toshiba Satellite running Win7, Home Premium

 

Emsisoft (and only Emsisoft...I have paid version of Malwarebytes, too, but it doesn't even pick up this Trojan on a scan) repeatedly blocks attempts by varient tmpXXXX.exe files to connect to remote servers. It generates a new tmp file each time with a different 3 or 4 alphanumeric string.

 

Here is the log...

 

C:\ProgramData\Microsoft\Secure\Icons\temp\tmpD0A3.exe detected: Behavior.TrojanDownloader
1    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp46EE.exe detected: Gen:Variant.Graftor.158181 ( B)
2    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp4435.exe detected: Behavior.HiddenInstallation
3    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp9D26.exe detected: Behavior.CodeInjector
4    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp49AD.exe detected: Behavior.CodeInjector
5    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpD3A6.exe detected: Bad reputation
6    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp13B5.exe detected: Bad reputation
7    C:\ProgramData\Microsoft\Secure\Icons\temp\tmp9521.exe detected: Gen:Variant.Strictor.65672 ( B)
8    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpF3E.exe detected: Trojan.GenericKD.1899162 ( B)
9    C:\ProgramData\Microsoft\Secure\Icons\temp\tmpDD15.exe detected: Gen:Variant.Strictor.65765 ( B)
10   C:\ProgramData\Microsoft\Secure\Icons\temp\tmp36EB.exe detected: Behavior.CodeInjector
11   C:\ProgramData\Microsoft\Secure\Icons\temp\tmpCE58.exe detected: Trojan.Agent.BFVR ( B)
12   C:\ProgramData\Microsoft\Secure\Icons\temp\tmp7FF6.exe detected: Trojan.Agent.BFSG ( B)
 
Emsisoft did find this Trojan once and quarantined it. Now it won't find it again on a full scan but does keep blocking it when it tries to 'phone home'.
 
Rootkit programs don't find it, either.
 
Anyone know how to permanently delete this?

 

 

I also had this problem.The way i solved it was by going into safe mode and deleting the whole folder "secure".i checked on my other pcs that had the same windows and only the infected pc had a folder named "secure".I've also run roguekiller and it seems the two .dll files are the culprit.It says there explore.exe.I hope it helps you a little


Edited by wes104, 06 November 2014 - 02:21 PM.


#3 durrydurry

durrydurry
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 06 November 2014 - 03:47 PM

Bullguard got it. A 128GB thumb drive apparently was the source. I never thought to scan it and the Trojan would mysteriously re-appear on my laptop after it had been quarantined. I had loaned the thumb drive to a friend so he could upload some photos I needed. I hadn't thought about scanning the thumb drive and Bullguard did and found the infection.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users