Infected! Trojan:Win64/Sirefef, Dropper BCMiner

[havalina]

Hi all,

When I turned on my PC this evening, I noticed that Microsoft Security Essentials was not enabled as it should be. I double clicked the icon in the system tray and was advised that "Microsoft Security Essentials isn't monitoring your computer". After rebooting a few times and running the troubleshooter here without success, I did a fresh install of MSE which got things running again.

From this point onwards, MSE has been quarantining the Trojan:Win64/Sirefef in various forms (Sirefef.P, Sirefef.AA, Sirefef.W, Sirefef.AN) every 5-10 minutes. Upon running Malwarebytes it appears I also have a Trojan: Dropper.BCMiner!

After scanning and 'removing' the offending item it asks me to reboot, which I have done several times. When I boot back into Windows and run Malwarebytes again however, the blasted thing is still there time and time again.

Obviously I want these off my computer as quickly as possible so any help would be much appreciated. Hopefully I've run the DDS tool correctly and the attached files are of some use to you guys in helping to diagnose and remedy this problem.

Thanks in advance for your help.

DDS.txt

Attach.txt

[MrCharlie]

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

----------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[havalina]

Thank you for your help and apologies for not reading the policy more carefully - I did not realise uTorrent was still on my system. The program has been competely inactive for years and has now been removed.

I've downloaded and run the RogueKiller application and posted the report below. I ran the scan and closed the program afterwards as you advised without applying any fixes.

Once again, thank you for your help with this.

RKreport1.txt

[MrCharlie]

OK, we have to get to the "Repair Your Computer" option to fix this, not all Vista machines have the "Repair Your Computer" option.

So see if yours does and please read the warning: (you may also get it by using Windows installation disc if you have one)

-----------------------------------

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[havalina]

Hello again,

I used my windows installation disk to get to the "Repair Your Computer" option and went through the various screens as instructed. One thing to mention is that I wasn't given the option of selecting a user account after selecting the operating system but the tool seemed to run without issue (albeit slowly!).

I've attached the log below and await further instruction.

Thank you

FRST.txt

[MrCharlie]

OK, here you go......same way you did it before

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\@
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\U
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L\00000004.@
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L\1afb2d56
C:\Windows\Installer\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L\201d3dde
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\@
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\U
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\L\00000004.@
C:\Users\Andrew\AppData\Local\{8e54795a-7ee2-0b18-2352-51ff1d9ec0c8}\U\00000008.@
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[havalina]

I followed your instructions and I've run the tool again and applied the fix. The fixlog is attached below.

I can see that a number of the entries are now showing as 'not found' rather than 'moved successfully' which is a bit worrying. Hopefully you can shed some light on this though and advise what I need to do next. Once again, I await further instruction.

Thank you again

Fixlog.txt

[MrCharlie]

Looks Good....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[havalina]

Hi again,

Just ran a MBAM Quick Scan. All came up clean which is great news however, Microsoft Security Essentials flashed up literally two minutes after the MBAM scan had finished saying that it was quarantining some new items.

The items in question are TrojanDownloader:Java/OpenStream.BY which is listed twice. Should I run another scan? Do I need to be concerned by this? Is this linked to the previous problem or something entirely different?

MBAM log attached below for your information and advice.

Thank you

mbam-log-2012-07-17 (23-14-08).txt

[MrCharlie]

I can see that a number of the entries are now showing as 'not found' rather than 'moved successfully' which is a bit worrying. Hopefully you can shed some light on this though and advise what I need to do next. Once again, I await further instruction.

I sorry I missed this one.

It's "over kill" once the root folder is deleted so are all the others.

Clear out Java cashe:

http://www.java.com/...lugin_cache.xml

Update and run a scan with MSE and see what it finds.

Let me know, MrC

[havalina]

Hmm...I don't have a Java icon in my control panel which is odd because I thought I had it installed. In fact if I go into "Programs & Features", I can see "Java Update 31" is listed in there with the option of uninstalling. Any ideas? Happy to uninstall, reinstall then clear cache if this is advisable?

Thanks

[MrCharlie]

Yes, I have a tutorial on it:

http://forums.whatthetech.com/index.php?showtopic=68632

MrC

[havalina]

Hi,

I downloaded and ran JavaRa which said it had saved a logfile and would now open this. It did not open a logfile and I cannot find one anywhere on my hard drive. The first time I ran it, it did give a list of old versions it had removed however when I rebooted and checked Programs & Features, "Java™ Update 31" is still in there. Should I try uninstalling this via the usual control panel method or could this cause problems?

A small additional issue - the icons on my desktop keep reverting to 'medium icons' rather than 'classic icons' no matter how many times I set this preference. I did not encounter this behaviour prior to the malware/virus. Any ideas why it is continuing to do this?

Thanks

[MrCharlie]

Should I try uninstalling this via the usual control panel method

Yes

We can run another program after you get java fixed. MrC

[havalina]

Ok, I've uninstalled Java and reinstalled to the latest version. I've just run a Quick Scan using MSE and also a Quick Scan using MBAM. Both came up clean, no malicious items detected. However, I am still experiencing the weird issue with my desktop icons resizing every time I restart the computer. Any suggestions on this one?

Thank you so much for your help so far.

[MrCharlie]

Lets run ComboFix and see what it finds....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[havalina]

I've run ComboFix as instructed - log file is attached below.

I've just had an unusual pop up message though:

FlashPlayerPlugin_11_3_300_265.exe - Drive Not Ready

The drive is not ready for use; its door may be open. Please check drive A: and make sure that a disk is inserted and that the drive door is closed.

Cancel | Try Again | Continue

I've just checked under "My Computer" and "Floppy Disk Drive A:" does seem to be showing up as a drive. I do not have a floppy disk drive on my computer and this drive did not previously show - any ideas here?

I don't know if the Flash Player popup is a harmless message (i.e. non-malware related) but as before, I await further instruction.

ComboFix.txt

[MrCharlie]

I don't think it's malware related, lets clean up all the logs and tools first.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

MrC

[havalina]

I've downloaded and run the CleanUp through OTL. Deleted some of the logs etc. Icons on desktop appear to be back to normal and I haven't had the Flash Player thing pop-up again.

I do have a folder on C: Drive called FRST - presumably from the boot tool I installed - am I ok to just manually delete this? What further steps do I need to take if any?

Thank you

[MrCharlie]

Yes you can delete it.

That's about it

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[havalina]

Strangely when I try and delete the folder FRST from C: it tells me that Destination Folder Access is denied and that I need to confirm the operation. It brings up the UAC dialogue box - to which I click continue but it repeatedly says "Destination Folder Access Denied" when I click "Try Again". Any suggestions on removing this?

[MrCharlie]

What's the full path to it including the folder? MrC

[havalina]

Sorry - an additional question. Just looking in the history tab of MSE - I still have a long list of Quarantined Sirefef Trojans from the other day. Am I safest leaving these as they are or am I better clicking "Remove All"?

[MrCharlie]

Either one is fine, MrC

[havalina]

What's the full path to it including the folder? MrC

Full path to it is C:\FRST. It contains three subfolders 'Hives', 'Logs' and 'Quarantine' along with a file titled 'softdebug'.