Trojan.Dropper.BCMiner/win32:Sirefef-PL [Rtk]

[trebs]

Hello. I am having trouble getting rid of a virus. My antivirus, Avast, will notify me in the bottom right corner of my screen that it has blocked a trojan horse (win32:Atraps-PF [Trj]) and malware (win32:malware-gen). These notifications will pop up every 2-5 minutes. They tell me "no further action is required," however Avast's virus chest is being loaded up every time I am notified. When I try deleting these viruses after a full scan with Avast, I am unable to delete another virus (win32:Sirefef-PL [Rtk]) from the chest. When I scan with Malwarebytes, I quarantine/delete Trojan.Dropper.BCMiner, but it will keep reoccurring when I go to scan again. I'm guessing Avast and Malwarebytes are blocking the same thing?

Every time I try deleting these they all just come back the next scan...

Thank you in advance to whoever who can help me. I cannot get rid of this thing!!!

By the way, I have Windows 7. If anyone would like to see any Avast or Malwarebytes scan logs first I will post them as well.

[iroc9555]

Trebs welcome to Avast! forums.

Please Follow this guide: http://forum.avast.com/index.php?topic=53253.0

and attach ( Do not copy/paste ) logs for malwarebytes', OTL, and aswMBR.exe.

Where an expert in the removal of malware has been notified and will help you.

Thanks.

[trebs]

Here is the MBAM log; I am going to follow the rest of directions on the guide now. Once again: MBAM will delete the infected file, but the same infected file appears each scan.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.10.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick :: NICK593 [administrator]

7/11/2012 1:41:06 AM
mbam-log-2012-07-11 (01-41-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231676
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{3adeb586-c348-fed3-ad11-0344ae90685f}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

[trebs]

Here are the OTL and aswMBR logs. Thanks again.

[oldman]

Hi trebs, welcome to the forum.


To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
  
• Please do not run any scans other than those requested
  
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.
  
• Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
  

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Right click on ComboFix.exe, click Run as Administrator & follow the prompts.
  

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3.  CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If after running combofix you recieve an message "Illegal operation attempted on a registery key that has been marked for deletion" or similar reboot the computer.


Please post back with the combofix log.

Thanks

[trebs]

I have attatched the ComboFix log.

[trebs]

Just an update:

Ever since I have run ComboFix, Avast has not notified me about any blocked trojans or malware trying to get through

Should I scan with Avast and Malwarebytes to see if I'm clean?

[oldman]

Hi trebs,


Please run this fix we'll do a coupl of scans later.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]

File::
c:\windows\SysWow64\shoF1FB.tmp
c:\windows\SysWow64\sho9FCF.tmp
c:\windows\SysWow64\sho483.tmp

Folder::
C:\Windows\Installer\{3adeb586-c348-fed3-ad11-0344ae90685f}\U
C:\Windows\Installer\{3adeb586-c348-fed3-ad11-0344ae90685f}\L
C:\Windows\Installer\{3adeb586-c348-fed3-ad11-0344ae90685f}

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please post the combofix log.

How's the computer?

[trebs]

Here is the new ComboFix log.

Thanks alot once again, the computer is running a lot better so far and I'm not getting the overload of blocked virus notifications from Avast anymore.

[oldman]

Hi trebs,

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

One more to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

• Do not use this instance of your browser for anything besides doing this scan
• When the scan is complete and the results saved, close that instance of your browser
• Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.
  

Please post back with

• MBAm log
• ESET log is there is one

[trebs]

The MBAM scan came up clean. Unfortunately, ESET detected 6 threats.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.12.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick :: NICK593 [administrator]

7/11/2012 10:28:15 PM
mbam-log-2012-07-11 (22-28-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232259
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[oldman]

Hi trebs,

It's not as bad as you may think. The first 5 are files we have all ready quarantined. These will be removed when the tools are removed. The 6th detection is a bit of a concern.

Cracks and keygens are a very big source of infections. This may very well have been the source of your problems. If you continue to use cracks/keygen you will most likely find yourself back here again.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]

:Services

:Files
C:\Users\Nick\Desktop\Editing Stuff\Plugins\New Blue Film Effects and Keygen for Sony Vegas\Keygen.exe

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the  OTL fix log.

Next

Please navigate to C:\Qoobox. Locate this file, Add-Remove Programs.txt and post it's contents.

[trebs]

Both logs are attatched below. Thanks for the quick responses as well, I really appreciate your help.

[oldman]

Hi trebs,

You're very welcome.

We'll clean up the tools now.

From your desktop, please delete, if present

• any notepads/logs that we created
• aswMBR.exe
• mbr.zip
• mbr.dat

Next

Click the Start button. Copy and paste the following line into the search box and hit  enter


Combofix /uninstall


Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


I suggest you keep MBAM. Keep it updated and use it regularly.



Updates

You have an old vulnerable version of Java installed plus the current version.

Click start > Control panel

• under Programs click Uninstall a program
  
• Uninstall

Java(TM) 6 Update 31

[/list]Do not uninstall Java(TM) 7 Update 5


Next

Click your start button > Control Panel

• Use the drop down menu beside view by and change it to small icons
  
• locate java (32bit) (looks like a coffee cup) in the list and click on it
  
• On the General tab, Click Settings under Temporary Internet Files.
  
• On the Temporary Files Settings screen, Click Delete Files.
  
• check all boxes
• Click OK
  

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall and install an antivirus program. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.


- Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings


- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

 Please post back if you have any problems.

Take care

[trebs]

I followed all directions/tips and everything uninstalled fine.

Thanks a lot, and if I ever have another problem with a virus I'll be sure to come here first.