Win32:bitcoinminer-u and Win32:Sirefef-PL Virus Problems

[Mchavez2084]

Hey there,

About 10 months ago one of my older lap tops got a really nasty virus when I tried upgrading adobe flash (it almost got the virus when I tried updating java before that but my virus protector put the kaibash on that). It wouldn't let me turn on the internet all. Whenever I would open a window I would get all but flashing lights saying virus detected you can't log online. Since I had two laptops I figured whatever I'll put this one away for now. Fast forward 10 months and my other lap top takes a shit and dies (the power charge sparks whenever I try to plug it in. So when I opened up this computer to try to finally fix it the internet was working again but I kept getting a pop up from my outdated AVG saying you have a virus blah blah. I googled it and found out it was just apart of the virus. To stop the pop ups I uninstalled AVG (I use avast now anyways). I did a little research on here and have followed the instructions on getting the logs to attach for your viewing ability (attached below). I had ran Malware from a few days ago before I started looking on here and have attached that file as well. I also ran avast! but I can't seem to attach more then 4 logs so if you want to see those let me know and I can upload this. Also the following was from ASWmbr

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-07 11:12:15
-----------------------------
11:12:15.062    OS Version: Windows x64 6.0.6001 Service Pack 1
11:12:15.062    Number of processors: 2 586 0xF0D
11:12:15.062    ComputerName: MIGUELCHAVEZ-PC  UserName: Miguel Chavez
11:12:16.669    Initialize success
11:12:19.992    AVAST engine defs: 12080700
11:12:21.739    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:12:21.739    Disk 0 Vendor: TOSHIBA_ LV01 Size: 305245MB BusType: 3
11:12:21.755    Disk 0 MBR read successfully
11:12:21.755    Disk 0 MBR scan
11:12:22.347    Disk 0 Windows VISTA default MBR code
11:12:22.363    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
11:12:23.003    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       303744 MB offset 3074048
11:12:23.439    Disk 0 scanning C:\Windows\system32\drivers
11:12:39.804    Service scanning
11:13:13.749    Modules scanning
11:13:13.749    Disk 0 trace - called modules:
11:13:13.796    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
11:13:13.796    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d5c060]
11:13:13.812    3 CLASSPNP.SYS[fffffa6000fc5b3a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004c13050]
11:13:14.639    AVAST engine scan C:\Windows
11:13:18.086    AVAST engine scan C:\Windows\system32
11:14:37.755    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
11:14:40.657    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
11:15:45.085    AVAST engine scan C:\Windows\system32\drivers
11:15:58.532    AVAST engine scan C:\Users\Miguel Chavez
11:49:39.481    AVAST engine scan C:\ProgramData
11:54:19.127    Scan finished successfully
11:54:39.157    Disk 0 MBR has been saved successfully to "C:\Users\Miguel Chavez\Desktop\MBR.dat"
11:54:39.173    The log file has been saved successfully to "C:\Users\Miguel Chavez\Desktop\aswMBR.txt"


Any help on clearing up this virus would be greatly appreciated.

[Mchavez2084]

Just in case its needed I've attached the aswmbr.txt as well.

[essexboy]

You look to have two infections here

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
  O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  O3 - HKU\S-1-5-21-3903322556-632712477-3017477609-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-3903322556-632712477-3017477609-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  [2011/12/03 15:19:17 | 000,009,960 | -HS- | C] () -- C:\Users\Miguel Chavez\AppData\Local\454002o7y253g502n740i2bxe7h4
  [2011/12/03 15:19:17 | 000,009,960 | -HS- | C] () -- C:\ProgramData\454002o7y253g502n740i2bxe7h4
  
  :Files
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  C:\Windows\Installer\{2da5e415-908a-a385-9dc1-3beb33849712}
  C:\Users\Miguel Chavez\AppData\Local\{2da5e415-908a-a385-9dc1-3beb33849712}
  ipconfig /flushdns /c
  netsh int ip reset c:\resetlog.txt  /c
  ipconfig /release /c
  ipconfig /renew /c
  sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[Mchavez2084]

Before I came onto this site I uninstalled AVG from my computer. When I ran the Combofix it detected AVG to be running (the virus was sending me fake AVG messages from the first place I figured it was the virus). I double checked made sure it wasn't on and I didn't find it anywhere. So I continued the process and have attached the logs onto this messsage. Thank you for your help!

[essexboy]

One more to kill

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe|c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[Mchavez2084]

Thanks again for your help! Heres the log...

[essexboy]

Could you confirm that you dragged the CF fix onto combofix as it is not reporting that as happening

[Mchavez2084]

Yea i did do i need to do it agaon?

[essexboy]

Lets try a different copy

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe|c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[Mchavez2084]

Hey there,

Sorry I was out all day yesterday or I would have had it done. Here is the new copy of the Combofix.txt

[essexboy]

OK that worked how is the computer behaving ?

[Mchavez2084]

Its been running fine I just want to make sure that I'll be able to check my email, bank accounts ect without something lurking in the background. I believe I caught this virus when I was trying to update my Flash and I remember once when I tried updating my Java my virus protector went bananas so I haven't updated it in probably a few years.

[essexboy]

Only ever update from the authors website and turn off the autoupdate then you won't be caught out

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Commands
  [resethosts]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  
• In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
  
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Go to control panel
• Select folder options (Appearance > Folder options in category view)
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

 Upgrading Java:

• Go to this site  and click Do I have Java
  
• It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
 

• Go to Control Panel and select System
  
• Select System
  
• On the left select System Protection and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create
  

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools
  
• Right click Disc cleanup and select run as administrator
  
• Select Your main drive and accept the warning if you get one
  
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

Keep safe  :wave:

[Mchavez2084]

Thank you so much for your help!!! You do a great job and may many riches and prosperity come your way!

[essexboy]

My pleasure