Help please - we've got a nasty virus

georgiac

My pc has started throwing up lots of virus alert messages at me and I am at loss to know what to do.

According to avira it is a TR/ATRAPS.Gen2 in my c:\$Recyclebin\S-I-5-18 .....etc

and with AVG it calls it a Luhe.Siref.A in the same place.

My bin is empty so I am not sure what it i or where it islurking but neither software seems to get rid of it for long as it reapperas as a warning 10 minutes later.

Any help much appreicated, thanks

bengalknights

Run malware bytes as it seems to be a file that isnt actually emptying the "free" space, other way is to dump lots of rubbish large files in the recycle bin

georgiac

Thanks bk, I will try malware bytes, the bin is totally empty so not sure where the files are?

debitcardmayhem

Please tell me you are not running AVG and Avira together

waddler_8

Sirefef aka rootkit.0access (ZeroAccess)

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FSirefef

Only run a quick scan with Malwarebytes - post the resulting detection log.

Then/or, download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• When it's finished, DDS will open two logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)

waddler_8

Any problems with this below just ask. AVG is installed, but combofix may think Avira is also. If combofix says Avira is running, ignore the warning and continue - just ensure AVG is turned off.

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• IMPORTANT! Ensure you temporarily turn off AVG before running.
  Instructions here
• Save combofix to your desktop.
• Double click combofix.exe & follow the prompts closely.
• Combofix may reboot the PC several times.
• When it's finished, it will automatically produce a log. Post the contents of that log.
• It can also be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course. It may take combofix slightly longer than stated as this malware is harder to remove.

waddler_8

Download Malwarebytes' Anti-Malware (MBAM) from the link below and save it to your desktop.
(mbam-setup-1.65.1.1000.exe , 10.1MB)

LINK

• Double-click mbam-setup-1.65.1.1000.exe and follow the prompts to install the program.
• At the end, UNCHECK Enable free trial of Malwarebytes Anti-malware PRO
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Select the Settings tab, then the Scanner Settings tab
• For Action for Potentially Unwanted Programs (PUP), choose Show in results list and check for removal from the drop down box.
• Select to the Scanner tab, select Perform Quick scan, then click on Scan
• When done, you will be prompted. Click OK If Items are found, then click on Show Results
• Check all items then click on Remove Selected
• After it has removed the items, Notepad will open. Post this log in your next reply.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

georgiac

Many thanks to waddler_8 for all their help.

I have now lost the original threat but gained at least one other.

This is the log from Malwarebytes:

can options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240777
Time elapsed: 31 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> Quarantined and deleted successfully.
(end)

Thanks again.

waddler_8

georgiac wrote: »

I have now lost the original threat but gained at least one other.

The infection is gone, we're now just cleaning up the remnants.

Uninstall these:

Adobe Reader 7.1.0

Java(TM) 6 Update 31

Java(TM) SE Runtime Environment 6

Read this (Vulnerable applications targeted by malicious users): http://www.securelist.com/en/analysis/204792239/IT_Threat_Evolution_Q2_2012#10

Get Adobe Reader here: (You don't need the Mcafee security scan, uncheck it before download)

http://get.adobe.com/reader/


Get Java here: http://www.java.com/en/download/index.jsp


These are always going to be one potential infection vector for this & other kinds of malware. I'd suggest uninstalling them:

BearShare
BitTorrent

mr_fishbulb

I'd also recommend downloading Secunia PSI which will help you keep up to date with all the software that needs patching. For example it would have told you that Adobe Reader 7 is old old old.

http://secunia.com/vulnerability_scanning/personal/

waddler_8

There's also an online version, should you not wish to install the software.

http://secunia.com/vulnerability_scanning/online/

@georgiac

When you're satisfied all's running well, it's important to uninstall combofix. If things aren't running well now, let me know before doing this.

Open a Run command box. (Start > Run or Windows key + R on your keyboard) and copy/paste this command in:

ComboFix /uninstall

Note the space between ComboFix and /uninstall , it needs to be there.

Click OK

Combofix will uninstall itself.