Computer Support Forum

Win32/sirefef.AB / win64/sirefef.P infection

Question: Win32/sirefef.AB / win64/sirefef.P infection

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Relevance 100%
Preferred Solution: Win32/sirefef.AB / win64/sirefef.P infection

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 115.13%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 113.97%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 113.1%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 103.82%

Hello all,

I'm a first time poster here and have come here looking for help in resolving my infection issue. I followed the directions in the read first thread and will post my logs. I am / was experiencing the following issues:


Firefox would redirect to various pages such as newsfudge.com. Since proceeding through the read first post, and also running goored? I have not noticed this recently.
Sometimes browsing seems to be incredibly slow, possibly related to the redirections.
Since attempting to troubleshoot this issue (Microsoft Security Essentials), it is believed that this is causing the following issue:

! You are about to be logged off
Windows has encountered a critical probelm and will restart automatically in one minute. Please save your work now.

If I let the computer restart itself, then this will keep happening. I have learned to "interrupt" it by running a normal restart after the message pops up. So far everytime the computer comes back I won't get the message. If I restart again, it will happen again. I haven't noticed anything in particular relating to this in the system log.

While not experiencing problems with the programs to resolve issues like this, I have noted that it has prevented me from patching games such as Rift. I believe this is related.
While working in safemode sometimes I noticed Adobe Flash 11.3 installer would frequently run trying to get me to install it. I do believe there was a massive security thr... Read more

Answer:Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Re: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restar

Welcome to Major Geeks!


Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Also allow Hitman to delete the C:\Windows\assembly\GAC_32\Desktop.ini piece of the infection
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
Reboot back into normal Windows and run another scan with HitmanPro and then attach the latest hitmanpro.zip log.
Also do the below:

Delete the below folders if found:
C:\Windows\installer\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}
C:\Users\Administrator\AppData\Local\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}


Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

C:\MGlogs.zip
Make sure you tell me how things are working now!
 

1 more replies
Relevance 100.92%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 100.34%

Hello everyone,I just discovered this forum while searching for a fix to my problem. I stumbled upon this post [Thread @ Bleepingcomputer] and he has the exact same problem as I have, even though the name is different. It seems his problem was fixed through a few custom actions a member suggested to him, and I figured I was SOL with my problem and would need the help. So thanks in advance to whoever ends up helping me!So my PC was running a bit slow, but the thing that ticked me off was this popup that kept appearing randomly, even once triggering on youtube.com, a site which has never generated popups in the recent past. This nagged me so I launched MBAM and it found something called Trojan.Dropper.BCMiner and it failed to remove it after asking for a reboot. So I try a bunch of stuff, I don't really remember all I did since I fired in no precise order, ComboFix (which didn't start at first, but it did once I rebooted into safe mode later in the process), the kaspersky malware tool I've seen suggested a lot here(I don't remember the exact name), MBAM, a MSSE scan and SUPERAntiMalware. All of them failed at doing anything good. I also ran the avast MBR fix tool to no avail, it actually blue screened my PC.After I started reading on the topic linked earlier, I ran almost the exact same procedure, up to getting a FRST log, which I now do have. In the end, I'm having the same problem I had at the beginning, MSSE is crazy about the two desktop.ini files in... Read more

Answer:Infected with Win32/Sirefef.P and Win64/Sirefef.AB

Hi,I'd like to see an updated FRST log:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.... Read more

14 more replies
Relevance 100.34%

I recently downloaded a file and was later infected by Win32/Sirefef.AB and Win64/Sirefef.P viruses. Any help in resolving this issue would be greatly appreciated.
 

Answer:Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help

Welcome to MajorGeeks, Yellow77

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and f... Read more

3 more replies
Relevance 100.34%

Avast keeps detecting Win32:Sirefef-B, Win64:Sirefef-A, and sometimes Win32:Malware-gen.  Multiple scans detect & quarrantine files, but the trojan warning keeps popping up.  My friend ran ComboFix on it & claims that everything is fine now, but I'm concerned that he shouldn't have run ComboFix yet and also that it may not have actually removed this infection.  Here is my log from DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Michael Calhoun at 0:57:18 on 2013-10-07
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3034.1819 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\... Read more

Answer:Infected with Win32:Sirefef-BTT & Win64:Sirefef-A

Hello troyman5150 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 100.34%

Hi guys,

Since yesterday I'm getting alerts from Microsoft Security Essentials about trojans in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

First I tried bootable live CDs from AVG and Dr.Web, scanned and cleaned PC with Microsoft Security Essentials, after it didn't helped, smoked Google a little and found your forum.

Read "READ & RUN ME", and here are the log files.

Huge thanks in advance
 

Answer:Trojans: Win32/Sirefef.AB and Win64/Sirefef.P

and here are 3 other logs..
 

4 more replies
Relevance 100.34%

Hello. My antivirus picked up these two and I was wondering if anyone could help me remove them. I tried using dds to send you logs but no attach or dds txt pops up after using it,and I'm an amateur when using computers so I have no idea how to find those logs if they exist somewhere in my system. Hope someone can help.

Answer:win64 sirefef -btt and win32 sirefef - a detected

Hello SONYAns I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

4 more replies
Relevance 100.34%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 99.76%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 99.18%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 97.15%

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Answer:win32/sirefef.ab, win64/sirefef.p and win64/sirefef.m

Hi Gringo
Thanks for your help. my firewall is down and i am lost on what to do. i have done what you asked and hope its ok.
what is this sirefef ? seems like it wants to stay.

Scan result of Farbar Recovery Scan Tool Version: 16-05-2012
Ran by SYSTEM at 16-05-2012 19:15:34
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10151968 2010-05-20] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113296 2010-03-29] (NEC Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\... Read more

8 more replies
Relevance 96.57%

Hello,

I've been infected with Sirefef for a week now, tried system restore, Full system scans in safe mode, tdss killer, numerous Sirefef removal tools from Kaspersky, Eset, Symantec to no avail. MS SE still founds Sirefef reincarnations from time to time.

please help!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by The Great Dark Lord at 2:12:28 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8159.4495 [GMT 4.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Wind... Read more

Answer:Sirefef.P Win32 / Sirefef.Y Win64

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

33 more replies
Relevance 96.28%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 95.41%

I seemed to have picked this up last night. So far all I've done is when my anti-virus detects it, I've been moving it to anti-virus chest. When I ran the full scan though, it said it doesn't detect anything. Any help would be greatly appreciated.
 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 1.6.0_30
Run by Toni at 7:09:16 on 2013-09-10
Microsoft Windows 7 Starter   6.1.7600.0.1252.63.1033.18.2048.392 [GMT -5:00]
.
AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Common Files\Spigot\Search Sett... Read more

Answer:Win32:Sirefef-BTT [Trj], Win64:Sirefef-A [Trj], Win32:Malware-gen

Good evening.  Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder. To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...In the Extraction Wizard window that opens, click on Extract and the contents should appear in a new window. Please close all open programs as this may result in a reboot being necessary.Double click TDSSKiller.exe to begin.Click Change parameters and check the two boxes under Additional Options and then click OK.Click Start scan and allow the tool to do just that.One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.The log that the tool creates will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt. - i'd like a copy of the contents in your next reply.Please check that you get the one with the right date and time.   

19 more replies
Relevance 91.06%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 87.29%

Hello everyone, sry if i make another post about this facking virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this facking bleep, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!

4 more replies
Relevance 87.29%

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Also this:
 

20 more replies
Relevance 87.29%

Hello everyone, sry if i make another post about this virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!
 

2 more replies
Relevance 87.29%

Hi, I'm from Portugal and I'm getting frustrated because I can't remove this virus.

Microsoft Security Essentials is finding 2 files I can't remove when I reboot the computer. When I reboot, MSE continues to find those files.

I'm running Windows 7 Home Premium Edition 64 bit service pack 1.

Please help me!

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P

Help me, please. I don't know what to do.

60 more replies
Relevance 87.29%

Hi guys,

I'm running Windows 7 64bit OS. I recently found that Microsoft Security Essentials wasn't running and I had to reinstall it. Once I did it found these trojans.
I did a bit of research and read some other posts but it looks like there is a detailed and unique fix for each person.

I think I have done everything in the READ AND RUN ME thread, and I hope I have attached all the correct logs as requested.

The only problems I had were with MGTools. I got the following errors:
"The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"
and
"Application has generated an exception that could not be handled.

Process id=0xac8 (2760), Thread id=0xce4 (3300)"

Thanks for your time.

Cheers
 

Answer:Trojan: Win32/Sirefef.AB and Trojan: Win64/Sirefef.P

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-360523327-522932163-1323501305-1000\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : ... Read more

11 more replies
Relevance 87.29%

Hi there i kept getting a virus that AVG couldn't remove, which AVG wouldn't stop popping up about, so i tried a different anti virus software MSE, which seemed to have i would believe half fixed the problem as symptoms from the virus before like redirected webpages etc MSE managed to stop however MSE is having trouble dealing with Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK, now i saw a topic posted about the win32 1 which suggested to using combofix, which this site stats do not use unless asked too, so i wanted to do things by the book (or you guys about the problem) i have used combofix before on the same machine to remove another virus before a while ago (maybe a year ago?). a Step by step method of removing the virus' and what the virus' actually do so i know how bad it is for future reference. Thank you.Using an AZUS ROG laptop with windows 7.Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Answer:Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 86.71%

Hello, I am having some trouble with removing the sirefef infection. I am running Windows 7 home premium 64 bit, I have already run FRST64 and here are the results.

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 19-07-2012 13:36:31
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [161304 2010-08-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2010-08-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [415256 2010-08-10] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA�... Read more

Answer:win64/sirefef.p infection

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

20 more replies
Relevance 86.71%

Running Win7 (x64). First noticed a problem when I booted and my desktop icons were in the wrong places (and medium instead of small). Then Norton Internet Security 2012 (fully updated) reported an error related to the Base Filtering Engine. Since then I've tried various things with the following results:

Norton Internet Security:

Reports that it has blocked [email protected] (Trojan Zeroaccess) and [email protected] (Trojan Zeroaccess) repeatedly. It has also blocked attempts by services.exe to target RMTray.exe (part of Norton, I believe).
Malwarebytes Anti-Malware:

I've run this several times (both quick and full scans; both regular and safe mode). It kept finding a rootkit in the windows\installer folder, but the most recent scans no longer report this.

Hitman Pro

I've run this several times (both regular and safe mode). It finds \windows\system32\services.exe and reports it as Virus.Win64!IK and Virus:Win64/Sirefef.B. It suggests Replace as the fix. I've tried this several times. In Safe Mode, it doesn't tell me it failed, but it doesn't seem to have fixed the problem. In standard mode, while it is trying to fix the problem I get an error telling me that Windows will reboot in 1 minute (and it does).

I've also run the McAfee rootkit tool, the Microsoft Malicious Software Removal tool, and maybe a few others, all without any success.

Based on other messages that I've seen here, I downloaded and ran some of the other diagn... Read more

Answer:Win64/Sirefef.B infection

I apologize for the duplicate posts. It looked like Windows hadn't registered the "Post" click so I mistakenly tried clicking again. Please delete the duplicate post if possible.

3 more replies
Relevance 86.71%

Hi

My spouses laptop picked this trojan up ,earlier today win64/Sirefef.Y infection with auto rebooting, I read Mathews post but being the script was written specificlly for his machine, I thought I would make a seperate post. I managed to run FRST and grab a log "see below" I'm posting from a different machine and disconnected my spouses laptop from the network. Thanks for help a head of time.

Scan result of Farbar Recovery Scan Tool Version: 10-06-2012 03
Ran by User at 10-06-2012 21:16:26
Running from C:\Users\User\Desktop
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()
HKLM\...\InprocServer32: [Default] ATTENTION! ====> ZeroAccess?

==================== Services (Whitelisted) ======
========================== Drivers (Whitelisted) =============
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============

2012-06-10 21:08 - 2012-06-10 21:08 - 00001084 ____A C:\Users\Public�... Read more

Answer:win64/Sirefef.Y infection

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

38 more replies
Relevance 86.71%

Running Win7 (x64). First noticed a problem when I booted and my desktop icons were in the wrong places (and medium instead of small). Then Norton Internet Security 2012 (fully updated) reported an error related to the Base Filtering Engine. Since then I've tried various things with the following results:

Norton Internet Security:

Reports that it has blocked [email protected] (Trojan Zeroaccess) and [email protected] (Trojan Zeroaccess) repeatedly. It has also blocked attempts by services.exe to target RMTray.exe (part of Norton, I believe).

Malwarebytes Anti-Malware:

I've run this several times (both quick and full scans; both regular and safe mode). It kept finding a rootkit in the windows\installer folder, but the most recent scans no longer report this.

Hitman Pro

I've run this several times (both regular and safe mode). It finds \windows\system32\services.exe and reports it as Virus.Win64!IK and Virus:Win64/Sirefef.B. It suggests Replace as the fix. I've tried this several times. In Safe Mode, it doesn't tell me it failed, but it doesn't seem to have fixed the problem. In standard mode, while it is trying to fix the problem I get an error telling me that Windows will reboot in 1 minute (and it does). However, as of this morning (and after posting the original help request), Hitman Pro is no longer reporting the virus (though Norton still seems to be stopping something...).

I've also run the McAfee rootkit tool, the Micr... Read more

Answer:Win64/Sirefef.B infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

51 more replies
Relevance 86.42%

I recently purchased this laptop from a friend for a great price. After using the laptop I realize why it was such a bargain...

It had a Win7 fake anti-virus pop-up shortly after using it at home while I was in the process of trying to install avast! on the machine. By running a combination of rkill and MBAM I managed to remove the fake anti-virus and prevent it from rearing its head every time I tried to open any program. This didn't resolve the next issue of the DNS Changer though, not to mention any underlying issues I may not be aware of. After running a boot-time scan with avast! I discovered Win64:Sirefef-C (hiding inside of consrv.dll, my better judgement screamed "LEAVE IT ALONE"), and I also have the issue of Win32:DNSChanger-VJ being blocked by avast! every few minutes. If I disable avast! and attempt to do any internet browsing I got thrown all over the place. I'll never go to yellowpages.com again, that's for sure.

In the end, I ran out of options, so here I am, hoping that you good folks can get me out of this pickle (and a possible case of buyer's remorse! haha). My logs are below. Thanks in advance.

Guy

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Run by Guy at 4:14:05 on 2011-12-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2804.1488 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
... Read more

Answer:Win64:Sirefef-C / Win32:DNSChanger-VJ

Hi Guy! Welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thi... Read more

15 more replies
Relevance 86.42%

It appears that I have a trojan or trojans on my computer. Avast keeps telling me that either Win32 DNSChanger-VJ has been blocked or Win64 Sirefef-A has been blocked. I noticed that there are a couple of previous posts on similar trojans. Should I just read and follow one of those or does removal need to be tailored to my computer?
I have Toshiba Satellite A135 Windows Vista Home Basic, 32 Bit, Service Pack 2.
Thanks

Answer:Win32 DNSChanger-VJ/Win64 Sirefef-A

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

56 more replies
Relevance 85.55%

Good day Sir

I am currently using AVG anti-virus. I discovered yesterday that my pc was infected with the above when a pop up appeared from AVG Resident Shield Alert.
Filename : c:\WINDOWS\System32\services.exe
Threat warning: Trojan horse patched_c.LZI detected when open

I searched online & followed to thsi forum. I ran esetscan & found this:
C:\Downloads\Software\apex-video-converter-free.exe multiple threats
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Agent.BA trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Sirefef.AE trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] a variant of Win32/Sirefef.FD trojan
Operating memory a variant of Win32/Sirefef.EZ trojan
I would appreciatte whatever help in overcoming this threat.

Thank you & looking forward to your advice.
D

Answer:Win64/Agent.BA trojan, Win32/Sirefef.FD trojan & Sirefef.AE trojan

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

21 more replies
Relevance 85.55%

Hello. I am not sure what's going on with my laptop, but I'm quite certain that I might have virus/trojans or something. I have done full-scan with Malwarebytes Antimalware 1.70 but no malware detected. Significant and rather annoying computer problems include, unable to log in into one of my yahoo email (i.e. redirect to edit.yahoo.com and asking for code, and when I tried 2 of my other yahoo email, everything works normal without redirection or asking for code, etc), random characters showing up on my note pad file and sometimes on websites, google chrome and computer processing is considerably slow and sometimes I can't find the whole page on the websites, especially in Facebook, seems to be unable to load page properly and needs to be refreshed. Oh, and the one I find the most odd is when I can't even rename my own folder in my Document folder, that's very scary.

I have also read the thread forums from http://www.bleepingcomputer.com/forums/topic456344.html and http://www.bleepingcomputer.com/forums/topic464267.html

The forums above have similar symptoms like my laptop, which is why I suspect the Trojan:win64/sirefef.W. Please help me, I'm totally confused and I don't even know how I get this trojan. Any help would be appreciated. Thank you.

Answer:Possible infection with Trojan:win64/sirefef.W

to BleepingComputer.My name is Matthias and I'll help you with the cleanup of your computer.Please be aware of the following:Please complete all steps in the specified order.Even if tools don't find malware, I want you to post the logfiles anyway.Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.Don't install or uninstall software during the cleanup unless you are told to do so.If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.If you decide to clean your PC, work with us until a team member tells you that you are clean.As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.Step 1Please download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.pifDouble click on the DDS icon, allow it to run.Mark the option attach.txt.Click on Start.After the scan has finished, confirm the message with Ok.DDS will automatically open both logfiles.You can find them on your desktop as well.Please post the content of tho... Read more

27 more replies
Relevance 85.55%

Hi all, thanks for reading and thanks in advance for any help.

I was surfing yesterday and got a notification that my adobe flash played needed updating. i wasn't paying attention and just clicked yes and almost immediately after downloading an update file, my AVG found an infection of Win64\patched.A virus. I immediately shut down and booted in safe mode. I ran a full scan of avg, and it did find the file c:\windows\system32\services.exe infected with said virus.

however, it could not clean it and i'm not sure if it even allowed me to delete it because it said the file was "white listed" since it was a system file. i then googled this virus along with some manual removal instructions, including deleting some reg keys. tried that, ran AVG again, no luck, still same file infected.

it was late, so i shut down the computer and so far all day today has been spent trying to get rid of this infection. also, my first avg scan today noticed another infection of luhe.sirefef and generic29.anpx viruses. unfortunately was not succesful in removing either of those.

I've tried some online scanners as well as the avg on and off today and nothing has worked so far. aside from the performance of the computer, i don't notice any slow downs, but i am getting the browser redirecting and a popup from adobe flash keeps saying i need to update my flash player. since i think it might have been the first download of the adobe update that caused my i... Read more

Answer:win64\patched.a, sirefef, need help with infection!

Welcome aboard This type of infection requires elevated help.Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 85.26%

My security alert says I have these four viruses and all attempts to clean them using microsoft forefront client security have failed. Besides, the computer shuts down every couple of minutes. Please help, I am frustrated.

Answer:Please help me rid my laptop of win32/sirefef.an, sirefef, sirefef.ao, and sirefef.ag

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 84.68%

My mother-in-law has gotten herself infected with the win64/Sirefef.Y virus. At first it just would not let me run any programs to try to fix it. Not it has gone to rebooting a minute after windows starts. Needless to say its driving me nuts!

I am not really able to run much. I have been able to run FRST and will post the log below. Other than that, it reboots before being able to run anything. I have tried safe mode, regular mode, safe mode to command prompt, System Recovery then command prompt. Not able to run anything other than FRST.

Any help?

Scan result of Farbar Recovery Scan Tool Version: 09-06-2012 01
Ran by SYSTEM at 09-06-2012 18:40:44
Running from L:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8158240 2009-10-06] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [166424 2009-11-24] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [390680 2009-11-24] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [410136 2009-11-24] (Intel Corporation)
HKLM\...\Run: [lxeamon.exe] "C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe... Read more

Answer:win64/Sirefef.Y infection with auto rebooting

HiPlease do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\Installer\{1d7aa739-ba01-0a21-4eb4-a8b45e1f7606}
C:\Users\Elaine\AppData\Local\{1d7aa739-ba01-0a21-4eb4-a8b45e1f7606}
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST64 and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Now restart, let it boot normally and tell me how it went.NEXTRefer to the ComboFix User's Guide Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is... Read more

25 more replies
Relevance 84.68%

so about 3 days ago i found out my computer had a virus so i decided to DL microsoft essential ran it and found a win64 virus and thats where all hell breaks loose. needless to say my antivirus couldent event detect it, so thus i come to you for help. i was able to run FRST,ran it like 4 times all logs looked the same thats about all i could do before it gives me the critical problem thing and shuts down.

here is the log please feel free to email me if i am missing anything u would need ill try to get it.
Scan result of Farbar Recovery Scan Tool Version: 10-06-2012 01
Ran by Kurisu at 10-06-2012 17:18:31
Running from C:\Users\Kurisu\Desktop
(X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

========================== Registry (Whitelisted) =============

HKU\Aleisha\...\Run: [DownloadAccelerator] "C:\Program Files (x86)\DAP\DAP.EXE" /STARTUP [x]
HKU\Aleisha\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\Aleisha\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [21975120 2011-08-14] (ooVoo LLC)
HKU\Aleisha\...\Run: ... Read more

Answer:win64/Sirefef.Y infection with auto rebooting

FRST needs to be run from the Recovery Environment or it doesn't function properlyIt only produces a diagnostic log until a fix is created based on what is found on the machine.Delete the copy of FRST that you have on your machine then follow these instructions:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64 bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the co... Read more

26 more replies
Relevance 84.68%

Hi, I am a first time poster on this forum, joined because I have used this site for reference in the past. 2 days ago my Microsoft Security software quarantined the "win64/sirefef.b" trojan. Yesterday, I found out I wasn't able to access the internet anymore because my Base Filtering Engine service was removed. I found directions online and reapplied that file and was able to connect to the internet (perhaps I should have come on here first) and started running MBAM. Halfway through, a bunch of "critical error" notices popped up and "SMART HDD" started running. My Windows Security software then noted the existence of "bumat!rts." At that point my PC automatically rebooted and the next time my files became hidden and background became totally black.

My question to anyone that may help is this: I've search this site for similar issues and was wondering if "sirefef.b" infections can be totally eradicated, I see that it's pretty severe. If it cannot be totally removed I wish to do a re-install of everything. I have a Toshiba Satellite lap top with the following CD's created after initial purchase: Toshiba Recovery Discs, Drivers Recovery Disc, and the Windows Environment Recovery Disc. Will I be able to get the laptop back to factory condition? What method is easiest?

I don't have another pc at home and therefore can't access the web. I can only check while at work.

Any help would be gla... Read more

Answer:Trojan (win64/sirefef.b)(win32/bumat!rts)(Smart HDD)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

13 more replies
Relevance 84.68%

Good evening. I hope I can get some help. Running Windows 7; experiencing browser search result links being redirected; security and anti-malware protection can detect but not permanently remove backdoor and trojan malware; no other obvious symptoms present as yet. Likely rootkit infection? DDS.txt is as follows:

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Doctor at 17:24:13 on 2011-08-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3959.2170 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k net... Read more

Answer:Trojan: Win64/Sirefef.B and Backdoor: Win32/Cycbot.B

Additional symptom observed: MS security essentials updates disabled, "Error code: 0x80070422"; Windows 7 Firewall settings cannot be accessed, same error code.

41 more replies
Relevance 82.94%

I have been following the instructions on the Tutorials "How to remove a trojan virus..." but am still finding troubles with the Firewall. In the meantime I downloaded and installed ZoneAlarm as a firewall. I use Windows Security Essentials, and that had been shut down too. I uninstalled that, and reinstalled a new copy, but it won't ever allow the downloads of the recent definitions. I managed to update the definitions today and it found Trojan:Win64/Sirefef.AC and removed it.

Any help would be greatly appreciated. Thank You.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by beanefamily at 22:06:21 on 2012-09-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2000 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestric... Read more

Answer:Had/Have Trojan:Win64/Sirefef Infection, cannot turn on Windows Firewall

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

13 more replies
Relevance 78.3%

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

Answer:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

4 more replies
Relevance 77.72%

Computer wasn't showing up on the local network, firewall was complaining it couldn't start and the service was missing. Function Discovery Resource Publication was refusing to start too. Skimmed some blogs, ran Combofix and let it do its thing (realise that I probably shouldn't have been so cavalier now) and the computer restarted and reappeared on the network. The firewall sprang back into life, windows downloaded several updates and security essentials detected Win32/Sirefef!cfg in two locations and Win64/Sirefef.AC in another. These were quarantined and deleted. Ran Malwarebytes antimalware which detected a couple of other things in install files (not running) and removed them. I subsequently ran combofix /uninstall and the computer seems to be behaving itself, but I want to be sure that I've actually removed the infection. DDS log below, many thanks in advance:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_35
Run by daniel at 21:23:25 on 2012-12-10
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.8183.5735 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows&... Read more

Answer:sirefef.ac and sirefef!cfg infection - firewall and various other services were gone

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 77.72%

My computer is restarting every minute due to "critical error" because of Sirefef. I went ahead and got both FRST.txt and Search.txt for services.exe which I will post below. Also, I want to know if it is likely that Sirefef might spread through USB stick or my home network to another Win 7 computer? I am guessing I got infected from a fake adobe flashplayer update, is that right?

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 19-07-2012 22:44:46
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] [x]
HKLM\...\Run: [LogMeIn Hamachi Ui] [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\CompooterUser\...\Run: [DAEMON Tools Lite] [x]
HKU\CompooterUser\...\Run: [Steam] [x]
HKU\CompooterUser\...\Run: [uTorrent] [x]
HKU\CompooterUser\...\Winlogon: [Userinit] [x]
HKU\CompooterUser\...\Winlogon: [Shell] [x]
HKU\Default\...\Run: [Sidebar] [x]
HKU\Default\...\Winlogon: [Userinit] [x]
HKU\Default\...\Winlogon: [Shell] [x]
HKU\Default User\...\Run: [Sidebar] [x]
HKU&#... Read more

Answer:Sirefef.R and Sirefef.AH infection with forced restart

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

6 more replies
Relevance 76.56%

Had (may still have) infection on laptop. Used avast boot scan and it seems to have stabilized and has not found subsequent infected files on further scans.Currently have no Audio as a result of infection and one of the quarantined files was a system 32 cd*.sys file. Find attached the requested files.

Quite a few of the services set for automatic start will not because modules are missing. DVD/CD player being one of many.
 

Answer:Win32:Sirefef-JQ infection

16 more replies
Relevance 76.56%

following instructions from my previous posting. at first the tools seemed to clear the search engine redirection, but GMER still shows a problem. Tech decided to send me to this forum, and I started again with step 6 on the guide. DDS worked well. Tried to run GMER with the new instructions, and it stops after about 40 min. Attempts to sneak the GMER through with a scrambled name failed. So I ran it for 25 min and stopped the scan and that is what I am posting.If it runs long enough the virus apparently stops the scan and I have a gray screen and have to turn off the laptop and turn it back on and try again. I ran CD emulation disable, and it said "finished" but I can't tell if I had anything to disable, since I got no further instruction from that program. Laptop seems to be working well with no redirection but tech thinks the virus is still present.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MARK at 22:46:15 on 2012-04-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2118 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\... Read more

Answer:win32/sirefef.ac and win32/sirefef.ah redirecting trojans?

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send ... Read more

15 more replies
Relevance 75.98%

Good morning fellow Bleepers,

My computer is currently running Windows XP Professional SP 3. My antivirus (CA etrust) indicates that Win32/sirefef.EB has been cured and needs to restart computer. I have done this a number of times and continue to to get the same notification but with different dlls. When opening IE it would open and redirect to either crave videos, women's health site, or registry cleaner site. Windows security sometimes pops up indicating no firewall.

Please help in getting rid of this infection.

I have ran DDS but CANNOT run GMER. GMER starts running and then a blue screen pops up indicating memory dump of some sort along with
there have been changes in software or hardware and needs to be shut down.

Thanks in advance.
remy888

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by GEORGE at 18:42:50 on 2012-05-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.947 [GMT -4:00]
.
AV: eTrust ITM *Enabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
AV: Emsisoft Anti-Malware *Enabled/Updated* {0F8591BB-342B-4493-91C3-4E948ED21255}
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C... Read more

Answer:Win32/sirefef.EB virus infection

Good evening. When you ran DDS it should have created an additional file - Attach.txt. Will you post the contents of that in your next reply, re-running DDS if you didn't retain a copy. Also, pay a visit to the ESET Online Scanner. Click the ESET Online Scanner button and a new window will open - you may need to maximise it. Click the Run ESET Online Scanner button in the new window.
If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
When you see the Computer Scan Settings window, you will need to make the following changes:

UNCHECK Remove found threats - this is important. Check Scan archives Click on Advanced settings Check Scan for potentially unsafe applications Once ready, click Start to begin - not a surprise really! The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted. The above will take a little time, so now is a good time to fire up the kettle and open the biccies. Once the scan has completed you will be shown the results - assuming that the scanne... Read more

26 more replies
Relevance 75.98%

Greetings, firstly, thank you for taking the time to look into my issues.

I am currently running Windows Vista 32bit standard edition on a Dell Inspiron 1400 laptop.

Up until last week I was running fine, but due to a stupid error on my part,(I clicked a link in an email I thought was legit.) but since I am experiencing several issues. It first began with (I assume) the google redirect virus. I use internet explorer and use safari as a backup. It seemed to be only in internet explorer. It would allow me to search any topic, for instance, Guild wars 2. When I would select it in the search bar, everything seemed normal, unless I clicked the sites webpage. I would be redirected to another site. However, if I clicked on a wiki page, it would act normal. Also, I had no popups that seem to go along with that virus. I ran, superantispyware, malwarebytes, and it showed nothings. A few days later I noticed that I would sometimes experience random commercials audio would play while I was not even using any search engines.

Recently, I reinstalled Microsoft Security Essentials, ran a full scan (took almost 14hours) but it found an issue (sorry, didnt log it) and apparenly "fixed" the issue. I was able to use ie without redirect. That didn't last long. A day after that, whenever I log on my laptop a few minutes will go by, ranging from 1 to 10 minutes, and I will recieve a window stating, "Windows has encountered a critical error and needs to restart. You have one... Read more

Answer:Malware Win32/sirefef infection and more......

Hello,lets see what we can get here...Reboot into Safe Mode with Networking How to enter safe mode(XP/Vista)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. >>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.Run RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
If nothing happens or if the tool does not run, please let me know in your next replyDo not reboot your computer after running rkill a... Read more

18 more replies
Relevance 75.98%

I was directed to this forum from here http://www.bleepingcomputer.com/forums/topic443998.htmlSummary:The laptop is Running Windows 7 64. The laptop was initially opening webpages on its own when going to normal sites such as Google or Yahoo. Avast discovered w32.sirefef-ho as consrv32.dll in the locations c:\windows\system32\ and c:\windows\system64. Originally I moved the to the viruschest. When I rebooted, the laptop would not boot in to Windows. I was unsure what to do, so I reverted to a restore point. The laptop would then boot up but is still infected. That is when I sought out help in the original post which is linked in the first line of this post. Avast will occasionally pop up a window that says a threat was detected, win32.DNSChanger.vj and the location is usually c:\windows\assembly\temp\u\ and will say no further action is necessary. It will ask me to do a boot time scan after it displays this warning. I have been clicking no and will continue to do this unless instructed differently.I followed the steps starting at Step 6 per the request above.I did not perform Step 7 due to running a 64bit OS per the instructions.One set of instructions said to zip the attach.txt file and one did not mention it. It isn't very big so I did'nt zip the file. I apologize if I should have and if I need to I will do so, just let me know.Below are the contents of dds.txt and attached is the attach.txt file..DDS (Ve... Read more

Answer:Win32.Sirefef.Ho infection consrv.dll

Hello StarkyD , Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
We need to get a little more information before we begin1.Please download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itClick the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.2.Please download Listparts64Run the tool, click Scan and post the log (Result.txt)... Read more

42 more replies
Relevance 75.98%

Yesterday I downloaded what i thought was a 300mb rar file in chrome turned out to be like 200kb (clearly a server). Avast alerted me and windows defender poped up saying it detected win32/sirefef (which is a botnet) So i disconnected from the net straight away. I don't know if it detects it because Avast/Chrome stopped it in the temp if it actually infected my system
I've performed scans with MalwareBytes, AdwCleaner and checked logs with DDS. Neither of these reported anything. Nothing suspicious in the resource monitor and no new keys in the registry.
Is it safe to assume I'm clean so I can reconnect to the net? Or could this have got really deep in my system??

Answer:Win32/Sirefef Possible Botnet Infection?

Welcome aboard  ZeroAccess rootkit (aka sirefef) requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 75.98%

Hello

I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program which i thought i had removed by following guides on this site. The problem i have is that windows 7 can not see my network devices. The "Computer Browser" service will not start, failing with Error 1060.
I have run scans with malwarebytes which finds nothing, but when i ran a scan with aswMBR it said i was infected with the Win32:Sirefef-FQ virus.
Im not getting redirects with google searches but do get the doubleclick.net showing on the back button in internet explorer.

Any help with this would be much appreciated

Thanks Pintglass

Answer:Help removing Win32:Sirefef-FQ Infection

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 75.98%

As I said in the previous post. I didn't actually run any executable windows defender just notified me that It caught this malware when temp downloaded a rar file in chrome (thought it was something else) was about 300kb.
I disabled my wireless adapter and haven't connected since I might just be paranoid..
Nothing reported in MBAM or any other scanners nothin in logs either but i'll post anyhow.
I'm using my android the uploader won't let me upload anything

Answer:Win32/Sirefef Possible Botnet Infection?

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 29/08/2013 16:12:01
System Uptime: 30/01/2014 09:33:35 (7 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | H55M-UD2H
Processor: Intel® Core™ i3 CPU 530 @ 2.93GHz | Socket 1156 | 2926/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 18.006 GiB free.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: High Definition Audio Device
Device ID: HDAUDIO\FUNC_01&VEN_8086&DEV_2804&SUBSYS_80860101&REV_1000\4&35A89E12&0&0301
Manufacturer: Microsoft
Name: High Definition Audio Device
PNP Device ID: HDAUDIO\FUNC_01&VEN_8086&DEV_2804&SUBSYS_80860101&REV_1000\4&35A89E12&0&0... Read more

12 more replies
Relevance 75.98%

I originally posted this here My link and have followed the guide as posted in the reply.I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program which i thought i had removed by following guides on this site. The problem i have is that windows 7 can not see my network devices. The "Computer Browser" service will not start, failing with Error 1060. I have run scans with malwarebytes which finds nothing, but when i ran a scan with aswMBR it said i was infected with the Win32:Sirefef-FQ virus.Im not getting redirects with google searches but do get the doubleclick.net showing on the back button in internet explorer. DDs Log.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Jase at 22:19:15 on 2012-02-20Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4095.2657 [GMT 0:00].SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\syst... Read more

Answer:Help removing Win32:Sirefef-FQ Infection

Hello Pintglass! Welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue!Read more

88 more replies
Relevance 75.98%

Hello,

I opened my husband's computer today and my ESET indicated that there was an infection and the computer hadn't deleted it and needed to reboot to finish the deletion. However even after the reboot I got the message, and keep getting it. I didn't notice very much wrong with my computer, only I noticed when I opened Chrome, that a new window was opening and I noticed the link being opened was something like "kaokaema.." i couldn't catch the name in time before it redirected.

So I know that there's something still very wrong as i keep getting the blue screen...I can't scan with GMER without getting the blue screen (even with all programs closed and mouse disactivated)...so here are the rest of the logs..

It's the win32/Sirefef.DA trojan...and I found some "solutions" on other forums like deleting entries in regedit or in application data folder, but didn't find those entries.

Please help!

thanks,

Vivian


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:45 PM, on 11/28/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPS... Read more

Answer:win32/sirefef.da trojan Infection!!! Help please!

16 more replies
Relevance 75.98%

Howdy Bleeps,
My computer seems to be harboring a pesky application that my current security system (CA) can?t seem to get rid of (or conversely my computer is allowing entry of malware that CA can?t block). I don?t really know what is happening being that I am not too tech-savvy.
CA scans can detect the byproducts of this application, but I assume it can?t find the root of this Sirefef.EB infection itself because I keep getting virus alerts about it. For the last few weeks(?) whenever I turn on my computer, I quickly get a Virus Infection Alert from CA identifying the bad file (always located at C:\windows\system32\, but with a different .dll name).
I started getting these alerts after I made some online purchases (airline tickets, rental car, trail run registrations). Prior to this I had been experiencing some oddity where I would get frequent Window error messages saying there was a problem connecting to websites and the program (ie, the internet) would have to be closed. I found that if I did not click on the ?Send Report/Don?t Send Report? and just moved that window off screen I could still navigate around the web, so I just ignored those messages.

Apart from these constant virus alerts, the only other apparent dysfunction from this infection has been website redirects. They seemed related to Google searches (I stopped clicking on search results and started copy/pasting the website URLs), but every now and then the redirects would happen after I cl... Read more

Answer:Win32/Sirefef.EB redirect infection

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

23 more replies
Relevance 75.98%

I am trying to restore my wife's computer.

I have have installed Eset Smart Security. When it scans it detected and removed a bunch of

trojan etc. However, it was not able to remove Win32/Sirefef.DA trojan.

I also installed Malwarebytes. It found a bunch of stuff to and it said that things were

cleaned. However, this was not in safe mode.

However, when scanning with Eset Smart Security it still tells me that the Win32/Sirefef.DA

trojan is still there.

Internet Explorer still divert google and tries to open popups. Eset blocks a bunch of web

requests to a unknown website.

This is a Dell Vostro running Windows XP Home 2002 Service Pack 2 Intel Core Duo CPU 1.4 Ghz

2.00 GB of Ram

This computer may very well have had these virus for some time. We had McAfee System

protection but it has been outdated for some time.

I have attached the attach.txt from DDS

So I am requesting help.

Here are the DDS logs:

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Pam at 10:53:41 on 2011-12-25
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1413 [GMT -5:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k Wud... Read more

Answer:Win32/Sirefef.DA and possible Rootkit Infection

Hello and welcome to BleepingComputer! I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce. As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us. If you will encounter a delay of over 2 days from me, please don't hesitate and private message me. Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.Also download and run GMER from this link: GMER download link.Thank you very much for your patience. Regards,Elle

6 more replies
Relevance 75.4%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 75.4%

Just saw this, Eset started acting up today. I did see a process running in process explorer, but didn't get a good look at it before I ended it. Said to my self, might as well give it to the experts.

Answer:Win64/Patched.B.Gen trojan & win64/sirefef.w

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

17 more replies
Relevance 75.4%

First of all, thanks to the ones who will help me getting rid of these menaces.

History: one or two days ago, while I was surfing the internet, a "flash player update" showed up, I gave it the permission to run, but as soon as it finished I was redirected to a page of adobe's site where there was written that the version of flash player I installed was not the last one. Then the pc started to freak out with this program, Live Security Platinum, that wanted to force me to acquire a license. Fortunately, I managed to remove Live Security Platinum with MalwareBytes anti-malware, but then my antivirus (ESET Nod32, ver 5.0.1) continously showed two advices, the former about Win64\Sirefef.AL trojan, wich was continuously sent to quarantine but always showed up again; the latter about Win64\patched.b.gen trojan, that NOD32 was "unable to clean", so I tried to use a restore point of a week ago. The pc seems to work normally, and NOD32 doesn't show those advices anymore, but when I try to open gmail with firefox it says "Firefox has detected that the server is redirecting the request for this page so that it can never be completed.", so I think the trojans are still here somewhere.

Yet again, thanks to who will help me

Answer:Pc infected by win64\patched.b.gen and win64\Sirefef.AL

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

18 more replies
Relevance 75.4%

Hey,

Since today I got a problem with ESET not deleting some trojans, namely Win64/Sirefef.AL, Win64/Patched.B.Gen. ESET is popping up the threat quite often, but can't remove them.
I don't have any clue what to do about it. Can anyone help me?

Greetings

Answer:Win64/Sirefef.AL, Win64/Patched.B.Gen (services.exe)

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

17 more replies
Relevance 106.19%

This was a big doh, moment for me. I have been relying on Microsoft Security Essentials and Windows Firewall with safe practices to keep my computer clean since the end of last year. Yet I slipped up and got infected from browsing a website.

I noticed that during the infection the Adobe Flash Player installer popped up. I realized, too late, what was going on and canceled it. Of course the damage was done. A window for a fake antivirus call Security Shield popped up. MSE and Windows Firewall were disabled and I'm afraid to try and re install them in case it nukes my computer.

Next my Chrome browser gave me invalid certificate errors and every browser was redirecting navigation.

Java was also acting up and giving me syntax error windows. This had been happening for a while so not sure if it's a virus.

I've performed backups of all my personal files and went through some other forums before landing on this one.

Before using this site's READ ME, I ran the following and quarantined/deleted files when prompted.

-MalwareBytes - quarantine/deleted files
-Prevx - scan only
-Eset online scanner
-aswMBR - discovered the rootkit virus in post title
-MBRcheck
-Hitman Pro (not sure if it was 64bit)
-TDSSKiller - came up empty

I deleted and replaced my hosts file, so now it is back to its default value.

So far it's fixed the browser issues, but MSE and Windows Firewall are still down. So then I follow the Major Geeks READ ME to the tee... Read more

Answer:GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

Welcome to MajorGeeks, YourTransistor

From Programs and Features (via Control Panel), please uninstall the below:

Java(TM) 6 Update 31 <== Outdated

Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Manually delete the following folders:


C:\Users\Kyle\AppData\Local\{0470adf4-0dd4-eec5-b768-520f19998c6f}
C:\WINDOWS\Installer\{0470adf4-0dd4-eec5-b768-520f19998c6f} <== Does not exist anymore according to your logs, but double-check
Let me know if you had any trouble doing this.

__

C:\Users\Kyle\Desktop\aswMBR.txt <== Attach this to your next message

__

I think your HitmanPro log is corrupted. I cannot get it to open. Please rescan and attach its log.

__

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

Now open Repair_Windows.exe
Go to the Start Repairs tab.
Press the Start button
Create a System Restore point if prompted.
In the Repair Options window, choose the following repairs:
Reset Registry Permissions
Repair Windows Firewall
Repair Hosts File
Remove Policies Set By Infections
Repair Winsock & DNS Cache
Repair Windows Updates

Place a checkmark in Restart/Shutdown System When Finished... Read more

4 more replies
Relevance 106.19%

Heres my logs DDS and two GMER logs one zipped. The link to my original post ( http://www.bleepingcomputer.com/forums/topic424433.html ) and I have run a few things just to see if they'd clean it but not sure what I was doing so I haven't made any changes. I haven't done anything since these logs so's I dont mess up anything. First my DDS log and the attached zip file!!!!!.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by orion311976 at 21:20:39 on 2011-10-21Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.655 [GMT -7:00].AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}FW: AVG Firewall *Disabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\WINDOWS\system32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft Security Client\msseces.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\wuauclt.exe.============== Pseudo HJT Report ===============.mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd... Read more

Answer:Trojan Downloader: Win32/Sirefef.B Infection

Its been a couple of days, just check'n if I'm still in line for help.....

17 more replies
Relevance 104.96%

A few days ago I started having issues with Google redirecting me to random ad websites, as well as Flash Player update popups. I updated my Microsoft Security Essentials, and since then it has been warning me with the presence of the file names in the topic title, and giving me the option to remove them. I select the removal option and everything is fine for a time but then MSE pops up again warning me of the same files. Anything you could do to help me get rid of these is greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Dave at 14:15:54 on 2012-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4031.2141 [GMT 10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\... Read more

Answer:Infected With Alureon.FP, Sirefef.B, Sirefef.W, Sirefef.AB & Sirefef.J

Download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itIf you can have an open Internet connection, allow it to download the latest Avast engine detections.If avast! antivirus is already installed, just do the next step.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Attach this file to a reply.

3 more replies
Relevance 104.55%

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] I hit "remove all" every time it appeared. BC Advisor responded "That?s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed ... Read more

Answer:Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Hi,

Do you have an empty USB flash drive?
We can try an alternative method.

Regards,
Georgi

more replies
Relevance 102.91%

Hello everyone, I have a redirect malware that keeps redirecting me whenever I try to open a link on google for example. I've had this problem for nearly a month now, and I have tried scanning my computer with all the antivirus/malwares out there, including malwarebytes, spybot, and more. The only antimalwares that detected anything were Ad-Aware and MalwareBytes, and the infected files seem to be in: "C:\Windows\assembly". The detected virus was called "Trojan.win32.sirefef" earlier on but is now called "Trojan.win32.Generic!BT". Perhaps it's just a variant.I also have Eset Antivirus installed, and every time I turn on my computer it detects the virus and says it deleted it and requires a reboot. After the reboot, same thing happens. The virus seems to come back every time. If I perform a scan with Eset, it finds this:C:\Windows\assembly\GAC_32\Desktop.ini - error openingC:\Windows\assembly\GAC_64\Desktop.ini - error openingAnother problem I have is that I can't turn on the Windows firewall, I get an error whenever I try. I suppose it's also a symptom of the infection. I attached the log required by the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". I'm running a 64-bit version of Windows 7 pro, so I didn't create the GMER log. I hope I did it right and gave enough information about my problem. Thank you very much for your... Read more

Answer:Trojan.win32.sirefef infection, Google keeps Redirecting, Firewall won't turn on!

I managed to get rid of my problem!

2 more replies
Relevance 102.09%
Question: Win64\sirefef.y

Hi All

I'm working on removing sirefef.y from a friend's computer. The operating system is 64 bit Vista. I've seen other posts and they specify that the fix file is unique, so I'm making a new post.

I've attached the standard FRST.txt and the search.txt (searching for services.exe) as done in other posts. Both were done in system repair mode.

Help on this will be much appreciated.
 

Answer:Win64\sirefef.y

Welcome to MajorGeeks, psquared76

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now reboot normally and remember to attach your Fixlog.txt.
 

8 more replies
Relevance 102.09%
Question: Win64:Sirefef-A/AO

Hello, I do not know where I got it but today Avast started saying "trojan horse blocked" or "rootkit blocked" every 30 seconds or so. Avast says the virus names are Win64:Sirefef-A[trjn] and win32:sirefef-AO[rtk]. All of the Sirefef-A files located in c:recylcer and there are very many of them in Avasts virus chest at this point. I have been trying to research it on Google and am worried if it can get any information from me checking my bank online. Even in safemode virus scans cannot find anything and I am starting to realize handling this is outside of my capabilities. Any help would be very much appreciated,thank you for your time!
Levi

Answer:Win64:Sirefef-A/AO

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 102.09%
Question: Win64/Sirefef.B

My wife's laptop - running 64 bit Vista - appears to be infected with the Win64/Sirefef.B rootkit. The biggest issue right now is that whenever you logon to the computer, a pop-up box appears saying that a Critical Error has been detected and the computer will reboot in one minute. And it does. It exhibits the same behavior when booting into Safe Mode, as well.

I've downloaded and executed the Kapersky boot disc and the MSE boot disk, both to no avail. Neither one, at this point, reports having found anything. However, after running MSE, on the first reboot only, Windows MSE runtime will find and report the Win64/Sirefef.B infection. However, because the computer reboots, MSE is unable to take any action against the infection.

Help?

Thanks,
Lee

PS - Since the computer reboots within one minute, I am unaware of how I can generate the log files as requested.

Answer:Win64/Sirefef.B

Welcome to the forum, shoppedude!See if you can do the following in the short span you have available...Do you have the Repair your computer option in the Advanced Boot Options menu?To find out: Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.Is the Repair your computer option listed?If you do not have the option above, do you have a Windows Vista installation CD/DVD available, or, access to another Windows Vista Computer? And last, do you have a USB flash drive available?

1 more replies
Relevance 102.09%
Question: Win64/Sirefef.P

My PC seems to be infected with Win64/Sirefef.P. I saw in a previous post being asked to run FRST, so I went ahead and did that. Attached are the 2 txt files. If this is incorrect/anything else is needed, just let me know. Any help is greatly appreciated. Thanks.
 

Answer:Win64/Sirefef.P

Welcome to Major Geeks!

Download this >>

View attachment fixlist.txt




Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and tell me how things are working.
 

3 more replies
Relevance 102.09%
Question: Win64 Sirefef.B

MSE keeps detecting this.
Malware Bytes, MSE, and Ad-Aware scans clean, but this thing keeps coming back.
Firefox keeps opening 2 windows every time I visit a new page.
My firewall basically disappears and trying to re enable its service gives me an error saying its not installed.
I don't know how this happened, gone for a few days so probably a family member.

Any help getting rid of this would be appreciated.

edited for logs

Answer:Win64 Sirefef.B

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

14 more replies
Relevance 102.09%
Question: Win64/Sirefef

Microsoft windows essential found a virus win64/sirefef and many of its variants, but is unable to remove it properly.
Every time I try to remove the virus/Trojan, the computer says "Windows has encountered a critical problem and will restart in one minute." I then need to do a system restore to stop the message from appearing when I restart the computer.

Any help is appreciated.

Answer:Win64/Sirefef

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

10 more replies
Relevance 102.09%
Question: Win64/Sirefef.p

We have a laptop here that has this running on it just like the other threads. I ran FRST and have the text file from that attached. Thanks for the help and info! I should add that the computer has started up without the restart issue that it causes after I ran FRST. Im going through a full scan with MSE. Is any further action needed?
 

Answer:Win64/Sirefef.p

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.
 

4 more replies
Relevance 102.09%
Question: Win64/Sirefef

Hello,

A few days ago I was using my Windows 7 PC on the Internet and noticed a few strange things. First, searches on google would bring back an odd certificate error message. Second, started getting some random pop-up windows with various advertisements. Last, Microsoft Security Essentials (MSE) was not active and I could not make it so.

I tried a few of my standard things - SuperAntiSpyware and Malwarebytes. SuperAntiSpyware only found tracking cookies. Malwarebytes did eliminate a few things. However, after a few reboots MSE was still not running. I decided to uninstall and reinstall MSE. That's when interesting things started to happen. The next scan found Trojan: Win64/Sirefef (and various variants at different times .W, .AA, .AB, .AN, .P). For awhile, MSE kept forcing reboots as it was trying to clean the files but then they would pop back up on reboot.

Yesterday I posted in the "Am I Infected?" forum. After providing a number of logs and following some instructions, there are some infected files that can not be removed. I was directed to open a topic here. The "Am I Infected" topic is: http://www.bleepingcomputer.com/forums/topic459471.html

I have followed the steps in the Preperation guide. Most steps were sucessful with the following exceptions:
5) I could not enable the Windows Firewall. When I tried to use the default settings, I got the message "Windows Firewall can't change some of your settings. Error code 0x80070242"... Read more

Answer:Win64/Sirefef

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

17 more replies
Relevance 102.09%
Question: Win64/Sirefef

This is a scan i did just this morning from the system recovery console.

I've tried removing the virus with Microsofts removal tool, MBAM, Superanti-spyware and the computer repairs itself because it won't boot. I would appreciate any help. I've spent hours so far trying to remove the viruses. Thanks ahead

Scan result of Farbar Recovery Scan Tool Version: 08-08-2012
Ran by SYSTEM at 08-08-2012 07:55:42
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-09-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-09-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-09-07] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-18] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [DellStage] "... Read more

Answer:Win64/Sirefef

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt 0 9e85bf7ff8e6964d; C:\Windows\System32\Drivers\9e85bf7ff8e6964d.sys [74184 2012-06-21] () ATTENTION =====> Rootkit?
C:\Windows\System32\Drivers\9e85bf7ff8e6964d.sys
C:\Windows\Installer\{e5aa47ef-3909-519c-e2e7-95e78d049088}
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options again.Select Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close... Read more

2 more replies
Relevance 102.09%
Question: Win64:Sirefef-C

My computer was infected with some malware, so I used malwarebytes in safe mode, which removed alot of malware. But when I started my computer backup some thing called system fix started and I restarted in safe mode with networking, used a search to find out how to remove it. I found the removal guide here and during the rkill download, system fix started while I was in safe mode. I finally got rkill to run before it could and then used Malwarebytes, which found and removed it. I then started up normally and used the Unhide.exe but noticed that when I searched for sites I was being redirected. Not only that now I can't seem to get Windows firewall to work. It says Error code: 0x8007042c, my restore points are missing and not everything is back like my desktop background. Plus the System Fix icon is on the desktop still.

I am way over my head, sorry for the life story.
This may be a better description of the problem: http://www.bleepingcomputer.com/forums/topic436503.html/page__pid__254

Here is the DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Rizu at 16:27:20 on 2012-01-11
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3033.58 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLa... Read more

Answer:Win64:Sirefef-C

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

11 more replies
Relevance 102.09%

MSE informs me of the presence of 3 Trojans:

Win32/Sirefef
Win32/Sirefef.AG
Win32/Sirefef.AL

MSE is quarantining these items and reports that they have been removed; however they have not. They provoke a response from MSE about once every 4 minutes (all 3 reappear simultaneously). MSE quarantines and then "removes" but the removal is not successful. I first noticed the MSE activity shortly after restarting the computer yesterday. Other items were detected at this time and appear to have been successfully removed - I think there were 2 other items - and I think their names were "FavPak" or similar and something with "adware" in its name.
The 3 Sirefef items continue to appear in MSE log every 4 minutes or so (simultaneously).
My machine is running Vista Home Premium (and that is about the extent of my knowledge).

I followed the trail from MSE to Microsoft help pages to Bleeping Computer (a well-trodden path I guess).
I am not particularly computer literate but I am able to follow complex instructions precisely.

Grateful for any assistance that you can give,

Thanks,

Phil

Answer:Sirefef, Sirefef.AG and Sirefef.AL infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

24 more replies
Relevance 100.86%

Hello Everybody,
Can you please help with the infection some tools detect them and remove but not completely they keep popping up every 5 mins and shutsdown.
I really dont want to reinstall os...

Thanks In Advance!
Chinn

Answer:Win64/sirefef.y problem

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

12 more replies
Relevance 100.86%

Hi my step dads computer has this virus and its kicking my ass. Its restarting every minute and i cant do anything. I have run frs. and here is the log.
can result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01
Ran by SYSTEM at 03-10-2012 20:56:07
Running from D:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2012-02-02] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2012-02-02] (IDT, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel? Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2012-02-02] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company... Read more

Answer:Trojan Win64/Sirefef.Y

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 100.86%

I am helping a friend who used your guides to try to remove the "Live Security Platinum" malware.

She followed the guide, but while running Malwarebytes in safe mode, a message stating Windows encountered an error and was restarting in 60 seconds appeared. In about 60 seconds, Windows restarted before Malwarebytes had completed.

From that point on starting Windows normally, in Safe Mode, and Safe Mode with networking results in the above message, and a restart in 60 seconds. She tried running FixExec as mentioned in the Guide. I helped her and got it to run in Safe Mode before it restarted, but the restart message continues.

I restored to an earlier restore point about 1 week before the symptoms occurred. That seems to have stopped the restart message. The computer runs in all modes, and does not seem to have any errors.

I do not trust the clean-up. Any suggestions on how to be sure the machine is clean(er)?

Thanks for your attention.

jfparla

Answer:Trojan:win64/Sirefef

Boot the PC into safemode with networkingDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive)DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

13 more replies
Relevance 100.86%

My computer is infected with Win64/sirefef.y, b, ab, w, and m. It reboots within 60 seconds of logging in, both in normal and safe mode. Actually, it even reboots if I let it sit at the user logon screen. It reboots too quickly for any antivirus or anti-malware to disinfect it. I have run the Farbar Recovery Scan Tool - 64 bit and attached the logs (FRST.txt, Search-Explorer.txt, and Search-Services.txt). I guess I need a fixlist.txt file now. Could someone please create one for me? I would be forever grateful. Thanks, Ginger
 

Answer:Infected with Win64/sirefef.y, b, ab, w, and m

Welcome to Major Geeks!


Download this >>


Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run MGtools as requested in the below and attach the C:\MGlogs.zip file that it creates.

Also attach Fixlog.txt from FRST.
 

3 more replies
Relevance 100.86%

Hello, I have read many responses to this issue and was hoping I would be able to get some help with this issue.

History:
Originally I was seeing page redirects and Microsoft Security Essentials was giving me errors. I ran Avast pre-boot scan and cleaned, everything seemed fine. I checked MSE and it was still having the same issue, I reinstalled and now I am seeing it discovered Win64: Sirefef.B Virus. Since then, almost immediately after each boot I am getting a pop-up stating Windows will restart itself. I cannot stop the shutdown, no strange services to my knowledge, and this occurs in safe mode as well. System restore has not been able to help.

Because of the short reboot window I have not been able to fix much - I have attached the Farbar results. Any help is greatly appreciated!!
 

Answer:Win64 Sirefef.B has beaten me, please help

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

You now need to follow these peocedures and attach all of the requested logs after doing so.

READ & RUN ME FIRST. Malware Removal Guide
 

22 more replies
Relevance 100.86%

Last night I was attempting to find a unicorn game for my daughter to play and I went to a site that told me I had to update or install a flash player I clicked thru to prompts to update or install and immediately got a pop up that Windows was shutting down in 60 seconds. I have managed to get around this error by hitting F2, F8, choosing Repair Windows and System Restore I restored it to the day before this happened. I have followed all of the instructions thus far. I got to the part where I download and launch and update malware antibytes and my problem returned advising me the system would shut down in 60 seconds and I was unable to launch any of the other downloaded tools. I had to do system restore to post this. The only one that I could run was the Rogue Killer. I am attaching that file. Thanks So Much for your time.
 

Answer:Win64 Sirefef Windows 7 Pro

Go to Start Menu > Run > (Type in) shutdown -a Now are you able to continue on with the Read and Run Me?
 

13 more replies
Relevance 100.86%

Hiya,

I have been having some difficulty with the viruses named above. I do not know how I managed to get them, as I stay away from what I would consider harmful sites, and only really use Facebook/Google/Youtube/My Uni's Own Website

I keep running scans on Microsoft Security Essentials, which keep identifying these viruses (Sometimes as often as every 2/3 minutes). I keep trying to remove them, but they don't seem to go.

I'm running Windows 7

I found a similar topic on this forum, where someone suggested downloading Farbar Recovery Scan Tool, and running it in System Recovery, and then posting the FRST.txt file that was saved. I have done this, and this is the content of the file

---------

Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
Ran by SYSTEM at 07-08-2012 19:10:24
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1814312 2010-10-29] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2009-10-31] (Sun Microsystems, Inc.)
HKLM\...\Run: [SysTrayAp... Read more

Answer:Trojan:Win64/Sirefef.AB and Trojan:Win64/Sirefef.W

Hi Paradoxymoron,Welcome to the forum.We need a fresh log of the latest FRST.Please delete your copy of FRST and download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the not... Read more

17 more replies
Relevance 100.86%

Hello, my Norton antivirus subscription ran out last week and I switched to Microsoft Security Essentials. After installing it, I tried to update its definitions, but the computer began restarting after startup. I get the critical error message saying my computer will restart in one minute. This occurs in all 3 safe modes immediately after logging into Windows. MSE says I have win64/sirefef.y and win64/sirefef.b but it cannot remove them before shutdown occurs.

I have windows vista, 64 bit on the computer. My girlfriend has a laptop, so I'll be able to access the Internet directly while working on the infected computer. I looked at other posts on the forum and took the liberty of running frst64.exe and got the two logs everyone seems to ask for initially. They are posted below.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<FRST64.exe>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 20-07-2012 00:45:30
Running from F:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...�... Read more

Answer:win64/sirefef.y and .b on Vista 64 bit

HiPlease do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
HKLM-x32\...\Run: [] [x]
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
replace: C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a ri... Read more

8 more replies
Relevance 100.86%

Hello, I am looking for a way to remove the Win64/Sirefef.AB trojan. I followed some of the other threads and I have ran the FRST64 tool my the output text file is attached here, I appreciate any help that is available.
 

Answer:Trojan:Win64/Sirefef.AB

We need some additional information so that we can replace an infected system file.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.
 

4 more replies
Relevance 100.86%

Hello,

Yesterday, I was using my Windows 7 PC on the Internet and noticed a few strange things. First, searches on google would bring back an odd certificate error message. Second, started getting some random pop-up windows with various advertisements. Last, Microsoft Security Essentials (MSE) was not active and I could not make it so.

I tried a few of my standard things - SuperAntiSpyware and Malwarebytes. SuperAntiSpyware only found tracking cookies. Malwarebytes did eliminate a few things. However, after a few reboots MSE was still not running. I decided to uninstall and reinstall MSE. That's when interesting things started to happen. The next scan found Trojan: Win64/Sirefef (and various variants at different times .W, .AA, .AB, .AN, .P). For awhile, MSE kept forcing reboots as it was trying to clean the files but then they would pop back up on reboot. I think I managed to get control back from MSE, but I am at a loss on how to proceed. I did some searches on Sirefef and realized I need some help. Please let me know what information to provide.

Thank You!

Answer:Trojan: Win64/Sirefef

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 100.86%

Basically all started when a malware virus scanner was installed on my computer. Telling me I had a whole bunch of trojans/etc. I knew it was a virus so I downloaded a bunch of free virus scanners and got rid of some. However one of them would tell me I received a critical error and windows needed to restart. I downloaded Microsoft Security Essentials and it found this and quarantined these things. Again critical error and windows needed to restart. Now I had another problem.. my computer would start up and after 15 seconds it would critical error again and would want to restart. So after 10x I finally was able to open MSE and remove the quarantine on the items and uninstalled MSE from my computer.

Other things to note:
I can't turn on my Windows firewall.
If I mess with this thing I get a critical error and my computer restarts.

Any help would be amazing.. thanks =)

Screenshot: http://i.imgur.com/ziOXw.png

Answer:Trojan:Win64/Sirefef.W

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

17 more replies
Relevance 100.86%

Microsoft Security Essentials(which is only thing that picks it up) detected Trojan:Win64/Sirefef.B at C:\Windows\system32\consrv.dll but each time it says it removed or it says not found and it just keeps coming back haven't tried anything else to remove and also haven't noticed much change in way of performance or operation of the computer.

Answer:Trojan:Win64/Sirefef.B

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

19 more replies
Relevance 100.86%

Dell laptop has sirefef.b trojan sirefef.j trojan and win32/alureon.TK

These are all trojans.

The laptop has MicSecEssentials, and malwarebytes free version, both of which I put onto the computer after the viruses were there.

system Specs:
Dell Inspiron
intel i3 2130 2.3 ghz
4gb ddr3 ram
hd graphics 3000
Win 7 64

I wanted professional help to deal with these problems and I do not trust many random websites. Please assist! Any help will be greatly appreciated.

-Mike

Answer:Trojan win64/ sirefef.b and .J

This is safe - and you are right to be wary...

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

7 more replies
Relevance 100.86%

As far as I know my computer is infected with win64/Sirefef B and win64/Sirefef Y. I tried removing it with Windows Defender Offline which didn't succeed. I do not have a Windows boot CD / install disc.

PS. Ark.txt isn't included in the ZIP file since I'm not running a 32 bit version, I hope I understood this correctly.

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by T.M. Meijers at 18:47:21 on 2012-10-20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1033.18.3948.2429 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwor... Read more

Answer:Logs - win64/Sirefef B + Y

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In ... Read more

11 more replies
Relevance 100.86%

Hi,

On approximately the 8th of July Microsoft Security Essentials alerted me to state that Win64/Sirefef had been found on my system and that the associated files had been quarantined. At the same time I was received a fake Flash update prompt which I would not stop appearing, when I looked in Task Manager a found a randomly named EXE file and closed this which closed the Flash prompt. I then cleared the quarantined files from MSE and manually removed the folders where the files had been located. I then did a full system scan with MSE and ESET Online Scanner which if I recall correctly did not find any infected files. However last week when helping a friend with a virus infection I ran some other tools on my system with makes me think MSE did not managed to stop the infection completely, below is an extract from a rogue killer scan I did which I believe indicates a potential ZeroAccess infection.

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Jamie [Admin rights]
Mode: Scan -- Date: 07/22/2012 15:44:56

??? Bad processes: 0 ???

??? Registry Entries: 6 ???
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Jamie\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n.) -> FOUND
[HJ] HKCU&... Read more

Answer:Win64/Sirefef / ZeroAccess

Hello and welcome to Bleeping Computer! I am D-FRED-BROWN and I will be helping you. Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.----------Step 1----------------I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer. Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
Note: Do not choose Cure or Delete unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually ... Read more

7 more replies
Relevance 100.86%

I'm trying to help my mother in law whose Windows 7 64-bit computer is apparently infected with Sirefef / Sirefef.Y
Shortly after startup, I get the critical error message saying my computer will restart in one minute. I can't seem to stop it from doing so, even in safe mode, so there isn't time to remove the trojan using Malware Bytes. I have Security Essentials too, but no luck removing this (also the 60 second restart is an issue).

Can someone please guide me through what I need to do? Thanks!!

Answer:Trojan Win64/Sirefef.Y

Hello, will the same thing happen in Safe mode (try all three safe mode options)?

4 more replies