Author Topic: [SOLVED] Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]  (Read 10813 times)

0 Members and 1 Guest are viewing this topic.

Saruma

  • Guest
[SOLVED] Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« on: September 07, 2012, 11:41:57 AM »
Hi all, some days ago i got infected by these 3 viruses and other malware, after i deleted nearly everything i decided to format and reinstall Windows anyway.

After i installed Windows the first thing that i did was go straight to download avast! and than install some drivers from official sites.

This morning when i boot my PC i found something that i already had in the previous Windows and i think is from Sirefef:

C:\Users\Saru\AppData\Local\Temp\CRX_75DAF8CB7768

with this 2 files: crl-set and manifest.json

Maybe not malicious?

I dont know how this is possible, i had Windows Firewall on, if you have some advice  on what good firewall i have to install tell me.

I already deleted this folder tell me what to do next, thanks.

This are the logs, other logs are in next post (couldn't attach more then 4)
« Last Edit: September 10, 2012, 01:18:07 AM by Saruma »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #1 on: September 07, 2012, 12:02:05 PM »
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners  (if tested before click rescan)

alternative
jotti.org
metascan-online.com



but if you deleted .....then it is to late   :-\


if you need removal help ....follow the guide and attach the requested logs
http://forum.avast.com/index.php?topic=53253.0


« Last Edit: September 07, 2012, 12:04:20 PM by Pondus »

Saruma

  • Guest
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #2 on: September 07, 2012, 01:12:41 PM »
Thanks you for reply Pondus, i did all the guide till "If you cannot  Boot the computer", i attached all the logs in these 3 posts.

Other logs attached here:

rk 1 is when scanned
rk 2 is when deleted
rk 3 is when fixed shortcut
« Last Edit: September 07, 2012, 01:18:02 PM by Saruma »

Saruma

  • Guest
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #3 on: September 07, 2012, 01:13:37 PM »
And farbar.

Saruma

  • Guest
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #4 on: September 07, 2012, 10:55:21 PM »
I got again this folder same name with same files in, i did the scan with virustotal, it didnt detect anything but have more malicious votes then harmless.

I found some topic in the internet that talk about this and doesn't look good :

http://productforums.google.com/forum/#!msg/chrome/R4eU3V5mosY/GoiF4pDVYNIJ
http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&id=202257&type=0
http://forums.majorgeeks.com/showthread.php?t=257894

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #5 on: September 08, 2012, 12:34:55 AM »
Hi all the logs show clean

Looking at the links they all indicate to me a false positive, it is just that as they can not find the name they assume it to be bad.  In fact it is a cd file usually used by Linux

Are you experiencing any problems ?


Saruma

  • Guest
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #6 on: September 08, 2012, 02:43:30 AM »
Hi essexboy, ty for reply.

I'm not experiencing any problem, but this folder its strange (Linux?) it seem to appear once a day, maybe Chrome update?

I attach the two files here so you can open with notepad to see what it could be.

and this if can help :
http://en.wikipedia.org/wiki/Revocation_list
http://support.microsoft.com/kb/289749/en-us
https://github.com/agl/crlset-tools

EDIT: i think that this folder is created on any PC that have Chrome, you can close the topic and thanks for support.


« Last Edit: September 08, 2012, 01:53:46 PM by Saruma »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #7 on: September 08, 2012, 02:20:28 PM »
Yes it looks like a revocation list, and points to Chrome... I wonder why they use a Linux name .. 'Tis curious

Saruma

  • Guest
Re: Infection by BitCoinMiner/Hupigon/Sirefef-PL [rtk]
« Reply #8 on: September 09, 2012, 11:11:10 PM »
Can anyone that have Chrome tell me if he have the folder CRX_75DAF8CB7768 into Temp folder? It will resolve this, thanks.

Asked to a friend and have this too, Solved.
« Last Edit: September 10, 2012, 12:27:33 AM by Saruma »