Well its a trojan actually.
My main windows machine has been hit with a trojan,
Its the "win32/sirefef.ah" & win32/sirefef.ac trojan. It arrived on the 8th, through a an infected web site that provides music lyrics.
The pc (windows 7) was up to date with updates and MS Security Essentials was up to date with its signature files, but java was not up to date. Not sure how it got in, think Nicole may have accepted a box to download a (fake) java update.
Anyway, symptoms are that MS Security Essentials finds it, removes it, but it comes back shortly after and the cycle repeats. Web sites are redirected.
Currently running Malwarebites, anti malware, more as a first step than anything, but as this appears to be a root kit it probably won't deal with it. Think I have located a tool to eradicate it if it doesn't.
I'll let you know the outcome.
However this one seems pretty recent (in its current form), so don't accept Java updates or any other form of update if a web site suggests it. Always get updates from the program source.
Last edited by: VxFan on Tue 10 Apr 12 at 13:57
|
This is possibly exploiting the Java problem that the recent Apple update was meant to fix.
On that note, I had updated my machine as soon as I was aware but last night the automatic update on MacOS X said there was a Java update. I think it's the same version as update had installed but it makes on wonder. The Java version is down as: 1.6.0_31-b04-414. For some reason I can't help but wonder that the last 3 digits were 313 previously but maybe not.
|
I've just run a full MSE scan on my computer and it came up with:
Exploit:JAVA/CVE-2010--0840.OG ... (shows how long it is since I last run a fool scan!)
Exploit:JAVA/CVE-2011-3544.2
TrojanDownloader:JAVA/open
All now removed ~ Thanks!
|
>> Anyway, symptoms are that MS Security Essentials finds it, removes it, but it comes back
I would try removing virus again then do a System Restore to just before the first infection.
Avast (if you can temporarily install it) www.avast.com/free-antivirus-download will let you run a boot time scan option which can catch rootkits before they can protect themselves. You can try an online scan with Trend Housecall to see if that helps: housecall.trendmicro.com/uk/
It could be the virus is located in your "pool" of System Restore points created since the infection which is why MSE can't clean it completely as these are protected files. In this case deleting all the restore points is the effective method of cleaning. In Windows 7 type point in search box by Start Orb and select System Restore, then Configure button then delete all Restore Points. Obviously don't do this until you've exhausted all other possibilities!!
|
Does one need Java?
I don't think I have it on the Mac, unless someone can tell me otherwise.
How would I check?
|
>> Does one need Java?
>>
>> I don't think I have it on the Mac, unless someone can tell me otherwise.
>>
>> How would I check?
You do have Java on the mac, see the Mac thread to check.
|
|
I have a "utility" called Secunia p.s.i 2.0 running on my machine, it regularly scans ALL programs installed on your computer (inc some I didnt realise i had or were running!) and automatically searches the Vendors websites for the "official" updates and patches the programs as required to keep them fully upto date. I think it works very well!
|
Iffy,
As Zero says you will have Java and many websites make use of it. Make sure it is up to date on the Mac or you could get infected. Take a look at Zero's thread on this but also do a manual Software Update check too.
|
Thanks Zero and rtj, I've just posted the result of my inquiries on the Mac thread.
|
I did a Java update yesterday on my PC which runs Vista, ensuring I was dealing with the real thing.
Today I did a boot-time scan with Avast!, which came up with the following, which was moved to the virus chest:
notana.class ....JavaDeploymentcache6.0571d662f339-704077de
Is that it? Do I need to do anything more? Has anything on my computer been compromised?
|
I just "Googled" the threat you posted, and it came up as "no matches found", which means to me that its either a "brand-new" exploit/virus, or a false positive.
There does appear to be several types of threat under the "Notana class" label though and alot do appear to be false detections, most anti-virus progs seem to be able to quarantine the threats, so I think once quarantined you should be clear.
if you check the virus vault, it may show you the path the infection arrived by, so that will probably be a weak point worth investigating.
|
>> JavaDeploymentcache6.0571d662f339-704077de >>
That is probably meant to be part of the Java cache found at
C: > Users > "FocalPoint YOUR PC USER NAME" > AppData > LocalLow > Sun > Java > Deployment > cache > 6.0 > 571d662f339-704077de
If you want to clear out all the old cache, first uninstall Java and then delete the above
( ... LocalLow > Sun > ) folder contents, and then reinstall Java.
www.java.com/en/download/testjava.jsp
|
Victorbox had the right idea. Unistalled MSE, and installed Avast, and did a boot scan (took 12 hours) and it removed three infected files. However the files were windows system dll's and its screwed up networking. Unless I can find a way to delete and rebuild the TCP/IP stack a rebuild is looming, Data is safe tho, everything else works just no network.
Might take the chance to install 64 bit won doze and add some more memory.
|
|
Thanks for that, but its a little bit fundamental than an adaptor configuration reset, bits of the network subsystem are missing. I think I have lost a DLL for the DNS
|
Format C:
You know it makes sense.... :-)
|
>> No restore points set?
No part of the virus payload was to disable resort points.
|
Have you fixed your machine Zero?
I gave up on MSE for this machine in the end, none of the reported fixes seemed to work which I suppose is a mild concern in itself. I installed F-Secure which TalkTalk provides as part of the package and all seems well now the firewall is trained, scans clear and everything works. It doesn't seem to create any noticeable overhead either, quite important on a weedy netbook.
|
>> Have you fixed your machine Zero?
>
No bothered yet. I am in the middle of a bout of decorating. Just shuttling data settings and favourites, and email onto another drive before I trash the C. Waiting for some memory to arrive.
|
Thanks for the warning.
It prompted me to do a scan with MSE. Except I find the tray icon has disappeared and I can't open the dialogue. I have checked that it is set to display, rebooted, uninstalled and reinstalled but it is still missing.
I know MSE is there because I am being notified of scans when downloading files. It seems this is a known phenomenon, but without a known single cause or solution that I can find.
Oh well.
|
Virus, A warning - rtj70
