Computer Support Forum

Help removing Sirefef.R & Sirefef.AH

Question: Help removing Sirefef.R & Sirefef.AH

Hi,

Am i able to get some guidance or help regarding the above Malware please?? My PC is restarting itself every few minutes and none of my usual tools are removing these files.

I am running Win7 professional x32

Please find attached the frst.txt and search.txt files as per other threads on this malware.

Thanks in advance.

Relevance 100%
Preferred Solution: Help removing Sirefef.R & Sirefef.AH

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Help removing Sirefef.R & Sirefef.AH

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

You must now follow these procedures please. READ & RUN ME FIRST. Malware Removal Guide

18 more replies
Relevance 79.46%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 78.01%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 104.96%

A few days ago I started having issues with Google redirecting me to random ad websites, as well as Flash Player update popups. I updated my Microsoft Security Essentials, and since then it has been warning me with the presence of the file names in the topic title, and giving me the option to remove them. I select the removal option and everything is fine for a time but then MSE pops up again warning me of the same files. Anything you could do to help me get rid of these is greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Dave at 14:15:54 on 2012-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4031.2141 [GMT 10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\... Read more

Answer:Infected With Alureon.FP, Sirefef.B, Sirefef.W, Sirefef.AB & Sirefef.J

Download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itIf you can have an open Internet connection, allow it to download the latest Avast engine detections.If avast! antivirus is already installed, just do the next step.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Attach this file to a reply.

3 more replies
Relevance 104.96%

My security alert says I have these four viruses and all attempts to clean them using microsoft forefront client security have failed. Besides, the computer shuts down every couple of minutes. Please help, I am frustrated.

Answer:Please help me rid my laptop of win32/sirefef.an, sirefef, sirefef.ao, and sirefef.ag

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 104.55%

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] I hit "remove all" every time it appeared. BC Advisor responded "That?s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed ... Read more

Answer:Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Hi,

Do you have an empty USB flash drive?
We can try an alternative method.

Regards,
Georgi

more replies
Relevance 99.22%

I went ahead and scanned with the FarBar Recovery Scan Tool. Attached is the result.
 

Answer:Removing Sirefef.AB and Sirefef.P

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------

Now run FRST again, no fix, just a scan and attach the log.

Now follow these procedures please. READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 98.81%

Need help. I have 2 computers 1 active and other one is older. The one computer that is active family uses alot. This computer has a big issue.

When you start windows vista in safe mode or regular, it will shut down in 4 minutes when you see the desktop shown. I tried system restore on a 2 month date to hopefully to clean it up, but it did not work. Mircosoft security doesn't detect it until it reaches the 4 minute mark.

The computer gives a pop up window says "windows occurred a problem and will shut down." I tracked the problem and found win32/Sirefef.AB, Sirefef.r , Sirefef.AH.
All was detected on this computer. I tried to put in a malware detector on it, within the 2 minute mark before it shuts down, but it doesn't make it. So I am using my old computer for investigating. Files are backed up in full.

This old computer has Avast pro, Spybot, and malware bytes anti malware. I just recently took the hard drive out(from the infected computer) and placed it in a exo case to see if I can fix it that way with this old computer. Please help before I get deeper in a hole.
 

Answer:Never faced this issue before,can someone help.I have Sirefef.r sirefef.ah sirefef.ab

10 more replies
Relevance 94.71%

Hello all,

I'm a first time poster here and have come here looking for help in resolving my infection issue. I followed the directions in the read first thread and will post my logs. I am / was experiencing the following issues:


Firefox would redirect to various pages such as newsfudge.com. Since proceeding through the read first post, and also running goored? I have not noticed this recently.
Sometimes browsing seems to be incredibly slow, possibly related to the redirections.
Since attempting to troubleshoot this issue (Microsoft Security Essentials), it is believed that this is causing the following issue:

! You are about to be logged off
Windows has encountered a critical probelm and will restart automatically in one minute. Please save your work now.

If I let the computer restart itself, then this will keep happening. I have learned to "interrupt" it by running a normal restart after the message pops up. So far everytime the computer comes back I won't get the message. If I restart again, it will happen again. I haven't noticed anything in particular relating to this in the system log.

While not experiencing problems with the programs to resolve issues like this, I have noted that it has prevented me from patching games such as Rift. I believe this is related.
While working in safemode sometimes I noticed Adobe Flash 11.3 installer would frequently run trying to get me to install it. I do believe there was a massive security thr... Read more

Answer:Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Re: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restar

Welcome to Major Geeks!


Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Also allow Hitman to delete the C:\Windows\assembly\GAC_32\Desktop.ini piece of the infection
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
Reboot back into normal Windows and run another scan with HitmanPro and then attach the latest hitmanpro.zip log.
Also do the below:

Delete the below folders if found:
C:\Windows\installer\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}
C:\Users\Administrator\AppData\Local\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}


Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

C:\MGlogs.zip
Make sure you tell me how things are working now!
 

1 more replies
Relevance 94.71%

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

Answer:Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

22 more replies
Relevance 94.71%

Referred from here: http://www.bleepingcomputer.com/forums/topic462175.html ~ OBI am running Windows Vista with Microsoft Security Essentials when i first encountered the problem. The virus shutdown MSE and the Microsoft update center, my firewall, etc. I downloaded MBAM, ran the scan, and it caught some files. Disinfected them, rebooted, rescanned, and files appeared again. (while running in safe mode with networking from the point after being infected). I followed the instructions here: http://www.bleepingcomputer.com/virus-removal/remove-security-shield first because this is where I believe all the problems began (that is after my wife clicking on an embedded link within FB). Upon completing the entire process, I noticed I still had the sirefef trojan, sirefef virus, and rootkit 0 access as I was running MSE and MBAM right before getting the "windows (Vista) encountered a critical error and will restart" loop. I have already downloaded frst.exe and ran it thru the usb drive connected to the infected cpu. I do not know what to do from this point on to get my cpu back to "healthy" and virus free status again ??????Running Vista 32 bit

Answer:Security SHield 2012, sirefef trojan, sirefef virus, and rootkit 0 access TROUBLE!

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

58 more replies
Relevance 94.3%

A few days ago, I got the Sirefef.AB and Sirefef.W virus on my computer. I had no idea the severity of my problem until after I reinstalled MSE which has now caused my computer to constantly restart. I have used Farbar to create a FRST.txt and Server.txt file, though I do not know if that will help on this site in the removal of this blasted virus, and I will wait to post it until I have been instructed if I should do so. I really am at a loss here. I am not that great with computers, and could really use some help.

Edit: Added note, for the short while before I reinstalled MSE, I was having redirection problems when clicking on Google links. It also restarts in Safe Mode.

Answer:Sirefef.AB and Sirefef.W for Windows 7 Infected Computer with Constant Reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 93.48%

Hello Helper--First, thank you so much for your help. I hope this is not overly-thorough...My topic title reflects what has been found on my machine using a variety of tools-- but i still don't trust my machine is clean. I want to avoid reinstalling Windows since i don't have a current image disk, and have a lot of stuff installed. [Lesson learned: keep a current image disk on hand] ----> here's what happened: I updated Skype via a pop up window that appeared after closing my connection [to Skype]. Soon thereafter ESET [my antivirus] notified me it had quarantined a variant of the Win32 Sirefef.DN trojoan. I immediately Googled this and found i was continually redirected to a random Yellow Pages webpage. The only other strange symptom I had noticed until this point was that back on Dec 5 Defender notified me it had found Sirefef.J-- I wondered how that could have happened and found my firewall had been turned off. I reset it back to on, and had not noticed anything else weird until the skype incident above on Dec 28. ---> here's brief and likely sequentially inexact description of what i did to clean my machine-- i don't remember the order in which i did all these things and can't remember which tools found what, as i sat for ~ 20 hours straight working on it. But this is sort of what i did: Scanned with ESET - ESET reported it found this in operating memory: \GLOBAL??\fd4f11f3\Windows\SNtUninstall\KB60604S�... Read more

Answer:Sirefef variant.dn / Sirefef.J /Sirfef.B / 0 Access root kit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

53 more replies
Relevance 93.48%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 92.25%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 91.84%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 91.84%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 91.84%

I recently downloaded a file and was later infected by Win32/Sirefef.AB and Win64/Sirefef.P viruses. Any help in resolving this issue would be greatly appreciated.
 

Answer:Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help

Welcome to MajorGeeks, Yellow77

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and f... Read more

3 more replies
Relevance 91.84%

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

Answer:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

4 more replies
Relevance 91.84%

Title pretty much says it all. Whenever my computer restarts if I don't do anything Microsoft Security Essentials will detect 2 infections, Sirefef.AH and Sirefef.R, and then inform me that I have a minute until the computer shuts down. If I end the process for Microsoft Security Essentials before any detections occur though then I can use my computer like normal. I'm guessing I need to use FRST to replace services.exe like in the other topics exhibiting this behavior, but since I can't interpret the logs I don't know how to fix this myself and admit that I could be way off.

On a possibly unrelated note, I've never been able to get ComboFix to run properly. I was asked to use it in a prior help topic on this site but was unable. Since then I've tried several times on my own to make it run to no avail. It always hangs after it informs me that it may take 10 minutes or more for badly infected systems and that text just hangs there even when I leave it on overnight.

I don't really care if ComboFix ever runs on my computer, but I figured it could be a symptom for something else so I'm listing it. Mostly I'd just like to be able to restart my computer without racing to stop processes before it gets stuck in a cycle.

Thanks in advance for whoever decides to help me.

Answer:Infected Sirefef.AH and Sirefef.R, computer keeps restarting

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

9 more replies
Relevance 91.84%

Hello. My antivirus picked up these two and I was wondering if anyone could help me remove them. I tried using dds to send you logs but no attach or dds txt pops up after using it,and I'm an amateur when using computers so I have no idea how to find those logs if they exist somewhere in my system. Hope someone can help.

Answer:win64 sirefef -btt and win32 sirefef - a detected

Hello SONYAns I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

4 more replies
Relevance 91.84%

Problem started as Live Platinum fake anti-virus. I thought I successfully removed this with MBAM, etc. But shortly thereafter MSE alerted that it detected Sirefef.R & Sirefef.AH. Now everytime I reboot I get a message the Windows has encountered a critical problem and the computer shuts down after 1 minute. I followed the steps on the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, but I am not able to run DDS or GMER scans because the system reboots before they finish. I am stuck!
OS is Windows 7, 32-bit.
Thanks in advance.

Answer:Sirefef.R, Sirefef.AH, computer shuts down after 1 minute

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

23 more replies
Relevance 91.84%

Hello everyone,I just discovered this forum while searching for a fix to my problem. I stumbled upon this post [Thread @ Bleepingcomputer] and he has the exact same problem as I have, even though the name is different. It seems his problem was fixed through a few custom actions a member suggested to him, and I figured I was SOL with my problem and would need the help. So thanks in advance to whoever ends up helping me!So my PC was running a bit slow, but the thing that ticked me off was this popup that kept appearing randomly, even once triggering on youtube.com, a site which has never generated popups in the recent past. This nagged me so I launched MBAM and it found something called Trojan.Dropper.BCMiner and it failed to remove it after asking for a reboot. So I try a bunch of stuff, I don't really remember all I did since I fired in no precise order, ComboFix (which didn't start at first, but it did once I rebooted into safe mode later in the process), the kaspersky malware tool I've seen suggested a lot here(I don't remember the exact name), MBAM, a MSSE scan and SUPERAntiMalware. All of them failed at doing anything good. I also ran the avast MBR fix tool to no avail, it actually blue screened my PC.After I started reading on the topic linked earlier, I ran almost the exact same procedure, up to getting a FRST log, which I now do have. In the end, I'm having the same problem I had at the beginning, MSSE is crazy about the two desktop.ini files in... Read more

Answer:Infected with Win32/Sirefef.P and Win64/Sirefef.AB

Hi,I'd like to see an updated FRST log:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.... Read more

14 more replies
Relevance 91.84%

Computer wasn't showing up on the local network, firewall was complaining it couldn't start and the service was missing. Function Discovery Resource Publication was refusing to start too. Skimmed some blogs, ran Combofix and let it do its thing (realise that I probably shouldn't have been so cavalier now) and the computer restarted and reappeared on the network. The firewall sprang back into life, windows downloaded several updates and security essentials detected Win32/Sirefef!cfg in two locations and Win64/Sirefef.AC in another. These were quarantined and deleted. Ran Malwarebytes antimalware which detected a couple of other things in install files (not running) and removed them. I subsequently ran combofix /uninstall and the computer seems to be behaving itself, but I want to be sure that I've actually removed the infection. DDS log below, many thanks in advance:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_35
Run by daniel at 21:23:25 on 2012-12-10
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.8183.5735 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows&... Read more

Answer:sirefef.ac and sirefef!cfg infection - firewall and various other services were gone

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 91.84%

Hi guys,

Since yesterday I'm getting alerts from Microsoft Security Essentials about trojans in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

First I tried bootable live CDs from AVG and Dr.Web, scanned and cleaned PC with Microsoft Security Essentials, after it didn't helped, smoked Google a little and found your forum.

Read "READ & RUN ME", and here are the log files.

Huge thanks in advance
 

Answer:Trojans: Win32/Sirefef.AB and Win64/Sirefef.P

and here are 3 other logs..
 

4 more replies
Relevance 91.84%

My computer is restarting every minute due to "critical error" because of Sirefef. I went ahead and got both FRST.txt and Search.txt for services.exe which I will post below. Also, I want to know if it is likely that Sirefef might spread through USB stick or my home network to another Win 7 computer? I am guessing I got infected from a fake adobe flashplayer update, is that right?

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 19-07-2012 22:44:46
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] [x]
HKLM\...\Run: [LogMeIn Hamachi Ui] [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\CompooterUser\...\Run: [DAEMON Tools Lite] [x]
HKU\CompooterUser\...\Run: [Steam] [x]
HKU\CompooterUser\...\Run: [uTorrent] [x]
HKU\CompooterUser\...\Winlogon: [Userinit] [x]
HKU\CompooterUser\...\Winlogon: [Shell] [x]
HKU\Default\...\Run: [Sidebar] [x]
HKU\Default\...\Winlogon: [Userinit] [x]
HKU\Default\...\Winlogon: [Shell] [x]
HKU\Default User\...\Run: [Sidebar] [x]
HKU&#... Read more

Answer:Sirefef.R and Sirefef.AH infection with forced restart

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

6 more replies
Relevance 91.84%

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Answer:Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 91.84%

Hello. I have an XP machine, pretty old though works (except it is slow...probably some other residual trojan issues). I need your help!! Please assist.

I have Microsoft Security Essentials and MalwareBytes Anti-Malware on my machine. MSE detected the Sirefef.ac and Sirefef.ah trojans/viruses several days ago. It removed them. Then they appeared again and were removed again. This occurs every day. (FYI, MSE is always on and does an automatic daily scan. MBAM is run by me manually every serveral days.)

Over the weekend, I tried using various add'l software to get rid of these items & others though at the end of the day, it situation remains as noted above. Very frustrated that I can't do this on my own and am worried about my computer security. (I believe I used Eset, Kapersky TDSS killer, ccleaner, & itMan Pro)

First, if the sirefef items show as being removed, is my computer safe to use or should I turn it off? When I do get on the internet (when MSE shows all clean and green status), I do get to my default site, msnbc, can get to other sites, and don't get redirected.

I searched and found what seems like exactly the same problem in your forum.

topic450849 raised by MarkP, helped out by Broni, &
its successor topic, topic451285 helped out by Gringo.

Should I just follow and replicate what was noted on those forums or wait and follow specific instructions?

Thanks so much for trying to help me out!!

Kind regards,

Davidad

Answer:XP Infected w/ sirefef.ac & sirefef.ah & need help to permanently remove

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

9 more replies
Relevance 91.84%

Avast keeps detecting Win32:Sirefef-B, Win64:Sirefef-A, and sometimes Win32:Malware-gen.  Multiple scans detect & quarrantine files, but the trojan warning keeps popping up.  My friend ran ComboFix on it & claims that everything is fine now, but I'm concerned that he shouldn't have run ComboFix yet and also that it may not have actually removed this infection.  Here is my log from DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Michael Calhoun at 0:57:18 on 2013-10-07
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3034.1819 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\... Read more

Answer:Infected with Win32:Sirefef-BTT & Win64:Sirefef-A

Hello troyman5150 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 88.15%

Hi

A friend of mine brought his pc to me. When I opened it after 1-2 minutes windows showed an error and said that pc will restart itself 1 minute later.
I have Microsoft Security Essentials. At the time i see the error Security Essentials briefs me about the virus. It happens at the same time. Virus container file is system32/services.exe.

I only have 2 logs because i had no time before it reboots. Sorry about my english.

Thanks.
 

Answer:Sirefef.r Sirefef.ah (PC Boot itself in 1-2 minutes)

Hello there. Your English is just fine.


This indicates you did not run the tool correctly. Follow the instructions further below to do so.





ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.Click to expand...

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Opti... Read more

9 more replies
Relevance 88.15%

I noticed that my desktop icons stopped saving their size and position. This set off personal alarms about my computer so I decided to run a full AVG scan. Completed the AVG scan and it got rid of things, but my desktop icons still kept behaving abnormally.Decided to try MSE (uninstalled AVG), and that did a full scan and identified the Sirefef virus.Now everytime I boot and everytime I open firefox or do anything internet related, it pops with two warnings about Sirefef AB and P infecting the Desktop.ini files in the file:C:\Windows\assembly\GAC_32\ folders. Removal does nothing.Ran a MBAM quick scan and detected a Trojac.Dropper.BCMiner which I tried to remove and it just comes back.I run W7-64bit so I did not create a GMER log. I posted a bunch of logs from the tools I've seen other people have the poster's run, so I could cover all the bases with one swoop. Thanks in advance and I appreciate any help.-----------------------------DDS pasted below -----------------------------.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32Run by CCM at 16:59:48 on 2012-06-02.============== Running Processes ===============..============== Pseudo HJT Report ===============.BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-... Read more

Answer:Sirefef.AB / Sirefef.P - Desktop.ini Infections

Hi,Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bi... Read more

12 more replies
Relevance 88.15%

Hello,

I'm infected with two versions of Sirefef (AC and AH). Windows Security Essentials pops up a message that one of them was found. The virus is always in a *.dll file in C:/Windows/System32. WSE doesn't manage to remove it completely.
I also have a Redirecter, that opens FireFox tabs, when I search for something on Google. It mostly opens this site: http://nutritioncuisine.com/videos/?src=113636&utm_source=AD_113636_5_304654&utm_medium=cpv&utm_campaign=NCvideosCPV113594 (You probably should not open this without an script blocker...), but this virus isn't even found by WSE....

I'm using Windows Vista Home Basic SP2.

Please help me. I don't know what to do to remove the viruses.

Florian

Answer:Im infected with Sirefef.AH & Sirefef.AC and a Redirecter...

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

1 more replies
Relevance 88.15%

The computer has run slowly for about a week now. Ran Malware Bytes and Microsoft Security Essentials. It picks up Sirefef.E and Sirefef.D and quarantines and removes it. It comes back within minutes. So frustrating and I am worried about other damage it may be doing!

Firefox will also randomly open a webpage - eminentsearch or Lycos or some other odd search page.

I appreciate any help you can offer!!!

Answer:sirefef.d and sirefef.e and eminentsearch redirect

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427706 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

8 more replies
Relevance 88.15%

I've found similar problems on these forums and would greatly appreciate a Fixlist.txt
Please and Thank you as always.
 

Answer:Sirefef.P and Sirefef.AB Removal Needed

Welcome to Major Geeks!

We need some additional information to replace an infected system file.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
 

7 more replies
Relevance 88.15%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 88.15%

I keep getting hit by the same trojans and trend micro keep telling me that it deletes malicious software that has titles like [email protected] and [email protected] But the files keep coming back, and trend micro makes me restart to get rid of them, or other files, sometimes. There was also one file that Trend micro couldn't get rid of and I have no idea what that was. Please help.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by DAvid at 18:18:23 on 2012-07-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.996 [GMT -4:00]
.
AV: Trend Micro Titanium *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.ex... Read more

Answer:TROJ_ZEROA.DUKKS, SIREFEF.DD, SIREFEF.QY

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 88.15%

Hello,

I've been infected with Sirefef for a week now, tried system restore, Full system scans in safe mode, tdss killer, numerous Sirefef removal tools from Kaspersky, Eset, Symantec to no avail. MS SE still founds Sirefef reincarnations from time to time.

please help!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by The Great Dark Lord at 2:12:28 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8159.4495 [GMT 4.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Wind... Read more

Answer:Sirefef.P Win32 / Sirefef.Y Win64

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

33 more replies
Relevance 88.15%

Hello kind removal helpers,
I have an XP SP2 installation that was infected with sirefef, sirefef.AG and .AL. Forefront theoretically removed them after much trying, but now I cannot install any Microsoft update and would like to get this machine to SP3.Downloaded the installer but it failes with 'The requested lookup key was not found in any active activation context' Service Pack 3
". Tried the fix in 949377, but cannot even download the fix. I cannot connect to any shares to get the file from there either.
Please advice as to what I can do to get this thing cleaned up. Appreciate it.
 

Answer:recovery and repair from sirefef, sirefef.AG and AL

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Update Malwarebytes' Ant... Read more

1 more replies
Relevance 88.15%

I've been noticing that randomly websites were opening pop-ups (advertisements) and that internet was running slow...decided to run MSE and noticed it was turned off. So I enabled it and immediately it displayed a threats detected message identifying Sirefef.ab (C:\Windows\assembly\GAC_32\Desktop.ini) and Sirefef.p (C:\Windows\assembly\GAC_64\Desktop.ini). After several removal attempts each of which resulted in Windows displaying a message that windows has encountered an unexpected error and will restart in a minute...I gave up on MSE.

After fooling around with other anti-virals i.e. Ad-aware, Malware bytes etc...I gave ComboFix a try and I've attached the log file. I think combofix screwed something up as I can't run any program anymore...everytime I start a program I get a message saying "Illegal operation attempted on a registry key that has been marked for deletion". What should I do now? ComboFix log file is attached.

Thanks!

Answer:Sirefef.ab and Sirefef.p Removal complications

Ok...so combofix had already removed quite a lot of stuff. I went ahead and removed the top two drivers as well - the ones with randomly generated names. Reboot my computer and everything seemed fine, all programs running fine as well. So I re-installed MSE and ran a full-scan, it identified the sames files in assembly folder and a few others, removed those files...another reboot and everything has been fine since then. No program crashes, slow internet or pop-ups.

3 more replies
Relevance 88.15%

Last night, I noticed MSE was not running and I could not update or run a scan. I uninstalled and reinstalled MSE. It scanned and detected Sirefef.R and Sirefef.AH and a message appeared that the computer would shutdown in one minute. The same thing happens in safe mode.

I am unable to run READ AND RUN ME FIRST because of the shutdowns (sending this from another computer).

I ran FRST.exe and have attached the file.

Thanks
 

Answer:Sirefef.R & Sirefef.AH - roboots after 1 minute

Please do the below as we need to locate a backup file to replace an infected one.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
 

18 more replies
Relevance 88.15%

My computer has the dreaded sirefef! I'm running Windows Vista Home Basic Service Pack 2. 32 bit.

A few weeks ago Microsoft security essentials (mse) stopped running. I tried to start it again but a message came up stating that the program didn't exist as an installed service. I also noticed that windows defender was off and it also claims it doesn't exist as an installed service (error 0x80070424). When I tried to reinstall windows defender, it popped up a message "Windows Defender does not need to be installed because it is included with windows vista. You can access it from the control panel."

The other day I decided to try to get Security Essentials running again by uninstalling it and reinstalling it. It worked and began to scan my computer. It found two threats: sirefef.AH and sirefef.R . I clicked clean threats and mse started cleaning them. HOWEVER, sometime after I got mse running again, I got a notice that read: "Windows has encountered a critical error and will automatically restart in one minute. Please save you work now." My computer restarted and I got that notice again. I tried safe mode and I still got that message and force restart, but it happened slower. In safe mode I ran mse again, it saw the same threats, I clicked clean, and It claimed they were cleaned (I know they aren't).

Eventually I chose the option "Repair Computer" from the F8 menu and went to a restore point 2 weeks earlier. (But not without ... Read more

Answer:sirefef.ah and sirefef.r have infected my laptop!

I'd like to see the comboFix log as well pleaseIt can be found at C:\combofix.txt (older logs at C:\qoobox\combofix2.txt)then please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" ... Read more

16 more replies
Relevance 88.15%

Hi,
I'm struggling with getting rid of sirefef. Tried about everything except personal help. I would be very appreciated if some one could guide me through this process.
Thanks!

Answer:Need a help removing Sirefef !

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.08.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Mindaugas :: MINDAUGAS-PC [administrator]

09/06/2012 22:22:41
mbam-log-2012-06-09 (23-09-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230842
Time elapsed: 46 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{d5e958d4-a421-67ef-3915-4c5d2f409263}\U\[email protected] (Trojan.Small) -> No action taken.
C:\Windows\Installer\{d5e958d4-a421-67ef-3915-4c5d2f409263}\U\[email protected] (Trojan.Sirefef) -> No action taken.
C:\Windows\Installer\{d5e958d4-a421-67ef-3915-4c5d2f409263}\U\8000[email protected] (Rootkit.0Access) -> No action taken.

(end)

4 more replies
Relevance 88.15%

Hey there!Last night my computer security system (Microsoft Security Essentials) suddently got disabled, and stated that my computer was in danger. I immediately re-installed it in hopes of seeing exactly what was wrong. After doing a quick scan of the computer, the program started attampting to remove the infected files. After doing so, it started forcing itself to restart. This continued for at least 5 or 6 times, before I in the end just had to uninstall MSE. The restarting wouldn't stop, and I barely even had time to uninstall the program before it wanted to restart again.I eventually managed to remove the program, but the computer still remains infected. When checking the log for MSE, I could see that it was infected with sirefef.b and sirefef.y, among other sirefef.'s. I didn't know what to do, so I went on google and found this thread here on the bleeping computer forum:http://www.bleepingcomputer.com/forums/topic459829.htmlI have as of right now followed Gringo's first post in the thread linked to above, and these are the logs that he requested in that thread: Results of screen317's Security Check version 0.99.42 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! AVG Internet Security 2012 Microsoft Security Essentials Antivirus up to date! (On Access scanning dis... Read more

Answer:Help removing Need help removing sirefef.b and sirefef.y, among others.

Quick update: My computer just got shut down by accident. Just wanted to let you know, in case it has any effect on the instructions I followed in Gringo's first post in this thread:
http://www.bleepingcomputer.com/forums/topic459829.html

Thanks!

18 more replies
Relevance 88.15%

Hello all. I've run FRST.exe and have generated the corresponding TXT files for the initial scan and then searching on "services.exe." I'd really like to know how to generate the fixlist.txt file... as I'm curious how one would do that (couldn't find a tutorial). However, if someone wants to just go ahead and generate the fixlist.txt file, that'd be appreciated as well.
 

Answer:Need help removing Sirefef.R.

Welcome to MajorGeeks, incutonez.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.
 

3 more replies
Relevance 88.15%

Hi, Im new here and Im in trouble.
 
When I tried to open my email today, my browser told me that I am infected with sirefef Gen C. I also realized that I cant access pretty much everything that is password-based. e.g fb, twitter, college portal
 
I tried installing microsoft security essential as suggested by the browser but the installation could not complete. It says something about 0x80070643 error. Im pretty sure that I don't have any other security tools that might interrupt the installation.
 
What do I do? Your reply is very much appreciated. 

Answer:Help in removing Sirefef Gen!C

Welcome aboard  This type of infection requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 88.15%

MSE informs me of the presence of 3 Trojans:

Win32/Sirefef
Win32/Sirefef.AG
Win32/Sirefef.AL

MSE is quarantining these items and reports that they have been removed; however they have not. They provoke a response from MSE about once every 4 minutes (all 3 reappear simultaneously). MSE quarantines and then "removes" but the removal is not successful. I first noticed the MSE activity shortly after restarting the computer yesterday. Other items were detected at this time and appear to have been successfully removed - I think there were 2 other items - and I think their names were "FavPak" or similar and something with "adware" in its name.
The 3 Sirefef items continue to appear in MSE log every 4 minutes or so (simultaneously).
My machine is running Vista Home Premium (and that is about the extent of my knowledge).

I followed the trail from MSE to Microsoft help pages to Bleeping Computer (a well-trodden path I guess).
I am not particularly computer literate but I am able to follow complex instructions precisely.

Grateful for any assistance that you can give,

Thanks,

Phil

Answer:Sirefef, Sirefef.AG and Sirefef.AL infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

24 more replies
Relevance 87.33%

This month my internet usage was much higher than usual, and when I went to run a virus scan through Microsoft Security Essentials I realized that it had been disabled for almost a month. I googled Microsoft Security Essentials and noticed that all of my results were being redirected to other websites, but I was able to download it after I typed in the URL manually. I uninstalled MSE and reinstalled it, and ran a scan which very quickly found that I was infected by the following viruses:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.AA
Trojan: Win64/Sirefef.AN
Trojan: Win64/Sirefef.B
Trojan: Win64/Sirefef.W

Each time MSE attempts to remove these viruses the computer restarts, and the same files are found when I run the scan again. In fact, I had to disable MSE because its constant attempts to clean the viruses forced my computer to restart every few minutes.

I attempted to follow the guide at http://sirefef.com/ but I wasn't able to find any of the registry values it told me to look for, so I didn't actually make any changes to my computer. I'm currently downloaded Malwarebytes, but I have a feeling that it won't be successful. What should I do?

Answer:Help removing Sirefef viruses

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

5 more replies
Relevance 87.33%

I need help removing what I think is a rootkit on my computer. I found this:C:\Users\Patrick\AppData\Local\{592b4cac-6dda-08f8-729e-e69892c21e95}Which contained:-two folders each with a single character file name, one which contained nothing and one which contained three files-a system file called "@" and a system file called "n". I've encountered this kind of thing before and usually just force delete all files, but this time I can't force delete one of the files. I force deleted all files except for "n." If I try to force delete "n" or unlock with fileassassin I get a blue screen. This occurs even in safe mode.Other problem, not sure if it is related, is sirefef.fb.gen, which was found by ESET Online scanner which was unable to remove it.Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

Answer:need help removing a rootkit and sirefef.fb.gen

Update:

Ran Malwarebytes and it was able to remove "n" and the rest of the rootkit. Still having trouble with sirefef.fb.gen, though.

19 more replies
Relevance 86.51%

I got this thru eset nod32 as a trojan in operating memory. I used the eset sirefef removal tool and it said that my computer was not affected. I used malwarebytes, and did a scan and found some infected files i quaranted them and rebooted my computer and still got the message from eset that the trojan is still on my computer
 

Answer:removing win32/sirefef trojan

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user account (if you have one... Read more

11 more replies
Relevance 86.51%

Hi!

I need help in removing Win32/sirefef.er from my computer. basically I keep getting alerts from AVG that my computer is infected with this virus and continue to get the same notice even after it says 'threat removed.' After doing some research I found that it is a Trojan that is in AVG, I saw a similar post on the forum here with the same issue so I am hoping you can help me as well.

Thanks, and much appreciated.

Answer:Infected with win32/sirefef.er need help removing

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

11 more replies
Relevance 86.51%

I recently ran a virus scan and i cant seem to get rid of the viruses. I will delete them then they come back every 2 minutes or so. Any help would be greatly appreciated thanks.
 

Answer:Trojan:Win32/Sirefef.AL and AQ, Need help removing please!

In order to provide the antimalware experts with the information they'll need to correctly diagnose and solve your problem, please follow the instructions in this thread:
http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

The malware removal forum is very busy and techguy insists that antimalware volunteers be suitably trained before they're authorized to help. This means that it can take a while before someone gets to your thread, but once they do they'll stick with you until the machine is clean.
 

1 more replies
Relevance 86.51%

Hello, this is my first time in this forum. My first indication of a problem with my computer was that MSE was not started, and would not start when I attempted to do so. I uninstalled MSE, and then reinstalled it. During the quick scan it attempted during the installation, it let me know it found the serious threat of Sirefef.AH. I told it to remove the problem and it began to do so, but before it was done, a windows message popped up: "Windows has encountered a critical problem and will restart in automatically in one minute. Please save your work." I then have approximately 60 seconds to do anything before the computer reboot itself. Now, it is giving me this error and reboot every time I restart the computer. It does this even in safe mode. I used the Farbar recovery scan tool to get this log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 23-07-2012 14:33:55
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13605408 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-03-06] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Syn... Read more

Answer:Need Help Removing Stubborn Sirefef.ah ASAP Please!

Good evening. I want you to fire up FRST again and enter the following into the Search: textbox: services.exeThen click the Search File(s) button and wait.Once the search has completed, the results will be saved alongside FRST as Search.txt - please copy and paste the contents of that textfile into your next reply.

10 more replies
Relevance 86.51%

My computer recently became infected with the Luhe.Sirefef. No anti-virus software I have tried has worked. AVG said it was there, and that it removed it, but it pops again seconds later saying its there. I was wondering if anyone would be able to assist me, it would greatly be appreciated.

Answer:Need help removing the Luhe.Sirefef trojan.

Never mind, I have resolved the issue. measures were pretty drastic, but it's no problem. All I did was delete my user account on the computer, start another admin profile. Ran multiple sweeps of my system and nothing has been found. 

1 more replies
Relevance 86.51%

I originally posted this here My link and have followed the guide as posted in the reply.I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program which i thought i had removed by following guides on this site. The problem i have is that windows 7 can not see my network devices. The "Computer Browser" service will not start, failing with Error 1060. I have run scans with malwarebytes which finds nothing, but when i ran a scan with aswMBR it said i was infected with the Win32:Sirefef-FQ virus.Im not getting redirects with google searches but do get the doubleclick.net showing on the back button in internet explorer. DDs Log.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Jase at 22:19:15 on 2012-02-20Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4095.2657 [GMT 0:00].SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\syst... Read more

Answer:Help removing Win32:Sirefef-FQ Infection

Hello Pintglass! Welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue!Read more

88 more replies
Relevance 86.51%

It's been awhile since I posted in this forum looking for help, which means that I've been able to keep my computers and the computers of my family members free from malware and/or I've been able to remove it myself, which I have this board to thank for that knowledge and ability.

However, I now need some assistance as I believe my father's computer has been attacked. Microsoft Security Essentials (MSE) has detected the Sirefef.AB virus. It attempts to remove it, but it keeps coming back. Here's some history:

I noticed the MSE icon in the taskbar was red. When I clicked on it and attempted to update it, I received an error that a necessary file didn't exist (or something similar to that). I uninstalled, re-downloaded and installed MSE. It scanned the computer and found the Sirefef virus, attempted removal, but it returned.

I then received another error message (I'm a little fuzzy on this) that said the Windows Firewall was not protecting my computer and when I went to activate it, I received a message that a necessary file or component was missing.

Also, in trying to research the virus and the above problems, google search results were being redirected.

Finally, his computer would not boot into safe mode and was locking up while booting and in trying start certain programs (e.g. IE 8). As a result of this, I have disconnected his computer from the network/internet.

Hope someone here can help. My logs per the Stickied instructions follo... Read more

Answer:Sirefef Virus Detected; Need Help Removing

16 more replies
Relevance 86.51%

Hello

I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program which i thought i had removed by following guides on this site. The problem i have is that windows 7 can not see my network devices. The "Computer Browser" service will not start, failing with Error 1060.
I have run scans with malwarebytes which finds nothing, but when i ran a scan with aswMBR it said i was infected with the Win32:Sirefef-FQ virus.
Im not getting redirects with google searches but do get the doubleclick.net showing on the back button in internet explorer.

Any help with this would be much appreciated

Thanks Pintglass

Answer:Help removing Win32:Sirefef-FQ Infection

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 85.28%

Microsoft Security Essentials detected and removed the Trojan Dropper Sirefef.B and TrojanDownloader Unruy.H from multiple files. Afterward there was no more network/internet connection. I followed the advice from several topics, including one on this forum, and some services have been restored, but I can not get the LAN connection restored. I have run MBAM and SuperAntiSpyware.

As instructed, I am including the contents of the DDS.txt below.

I ran GMER (found one red file), but after it finished and I clicked "Save", the computer froze up before saving. After rebooting, I ran it again until it found the red file again and then stopped the scan. I saved this file and attached it.

Thanks,
Joel

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 21:36:57 on 2012-03-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1268 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:&... Read more

Answer:No Network after removing Trojan Dropper (Sirefef.B)

Helo Joel R. and welcome to BC.

Sorry about the delay, do you still need help?

75 more replies
Relevance 85.28%

Just as the topic indicates. I noticed a thread someone else was infected as well. Looked like the resolution involved user specific variables so any help would be appreciated!!

Windows 7 64bit

Answer:Caught the "trojan sirefef" virus -- Need help removing

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

45 more replies
Relevance 85.28%

Hi All,
 
I'm a new user here and I was hoping to find some help for removing the Luhe.Sirefef.a trojan from my home laptop.  Windows defender picked it up about a week ago but it keeps regenerating everytime I delete or quarantine the file.  I downloaded AVG's free version but it also isn't powerful enough to eliminate it for good.  I've read up on some other users with the same issue here and and it looks like it takes quite a few steps/programs to fully eliminate.  I've kept my computer shut down since AVG failed to eliminate it (thus far it hadn't noticably impacted any functionality).  Any help would be appreciated.
 
Thanks,
Nate

Answer:Need help removing Luhe.Sirefef.a trojan from laptop

Sorry, read the preparation guide.  Here is the DDS info requested.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.9.2
Run by MUTigers at 20:42:24 on 2013-06-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.1813 [GMT -5:00]
.
AV: AVG Anti-Virus 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Win... Read more

18 more replies
Relevance 85.28%

Hello, the topic should be pretty self explanitory.
I ran FSS as per another thread, and here is the complete result.
I have noticed tds and afd are not running.

Following this log will be the Systemlook for both files

Can anyone help?

Farbar Service Scanner Version: 08-02-2012
Ran by lthomas (administrator) on 08-02-2012 at 09:35:05
Running from "F:\"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Connection Status:
==============
Localhost is accessible.
There ... Read more

Answer:No internet connectivity after removing win32/sirefef.b

To be on safer side before running registry fixes i would suggest you to

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Download afd.reg

http://www.mediafire.com/?bke30e98jwcsb27

Download tdx.reg

http://www.mediafire.com/?tkh1kri9w847pzm

Launch them,click YES when you get UAC prompt

Restart the PC and post the new FSS log

good luck

8 more replies
Relevance 85.28%

Since a couple of days, Microsoft Security Essentials has been giving alerts about Trojan.Win32(and 64)/Sirefef.(various shit)

Says it succeeds in removing them but they return every couple of minutes. Reboot after removal didn't help a thing, nor running Malwarebytes and TDSSkiller.

Any advice? Preferably some fancy combofix method with logs, conventional antivirus solutions haven't shown to help so far.

Thanks in advance!

Answer:Trojan.Sirefef virus, problems removing it

  
Quote: Originally Posted by iDennisW


Since a couple of days, Microsoft Security Essentials has been giving alerts about Trojan.Win32(and 64)/Sirefef.(various shit)

Says it succeeds in removing them but they return every couple of minutes. Reboot after removal didn't help a thing, nor running Malwarebytes and TDSSkiller.

Any advice? Preferably some fancy combofix method with logs, conventional antivirus solutions haven't shown to help so far.

Thanks in advance!


Try running Malwarebytes in Safe Mode and be sure to remove everything that comes up (make sure their checkboxes are enabled) Also, clear out all of your browser's cache. In Internet Explorer, click on the gear in the top right and select internet options. Then, find where it says browsing history in the middle of the page and click on delete. In the window that pops up, check all of the checkboxes except the one at the top that says "preserve favorite's website data" and select delete.

3 more replies
Relevance 85.28%

This is my sons XP computer which I reloaded from scratch this Fall.
I have ESET and ZoneAlarm running.
He noticed suddenly when he tried to pull up Firefox it asked what program you want to open it with.
I fixed the file association problem and also noticed Eset and Zonealarm was not loaded.

I downloaded on a flash drive then installed: Eset 5, CCleaner, Malwarebytes, ZoneAlarm
I also made sure XP was current running software with Belarc.

After rebooting I plugged in the network cable for the first time and it can't get a DCHP IP address...
I even tried fixing the IP address to an unused number, just higher than the attached devices in the home network. (set subnet and dns)
it didn't help so i set it back to DHCP

I turned off system restore

I no internet, but it does pick up my default gateway.


* * * * * * * * * * * * *
My ESET logs show:
Startup scanner file Operating memory » svchost.exe(1044) a variant of Win32/Sirefef.DT trojan unable to clean ERIK-DCHS\Erik
Startup scanner file Operating memory » \GLOBAL??\88d18544\WINDOWS\$NtUninstallKB3477$\2295432516\Desktop.ini a variant of Win32/Sirefef.DN trojan cleaned by deleting ERIK-DCHS\Erik
Startup scanner file Operating memory » svchost.exe(1044) a variant of Win32/Sirefef.DT trojan unable to clean ERIK-DCHS\Erik
Startup scanner file Operating memory » \GLOBAL??\88d18544\WINDOWS\$NtUninstallKB3477$ ... Read more

Answer:Lost internet after removing Kryptik.EXE & Sirefef.DT

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434487 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 85.28%

I have used, in order, in safe mode after turning system restore off, Malwarebytes, Superantispyware, and Spybot S&D. I then switched AV software to Security Essentials. Additionally, I ran an online scan. Several days ago then system showed clean. Today, my system is warning of the Sirefef.B infection and is not allowing me to send email. It will not connect to my corporate email server once again. I have read many web sites and have not found a way to completely remove the trojan. Please help on how to proceed.

Additionally, ran HijackThis and looked at log and it showed nothing out of the ordinary.

Windows XP pro SP3 fully updated with latest.

Thanks

Sammy

Answer:Trouble Removing TrojanDropper win32/Sirefef.B

Ran full scan with Security Essentials and the trojan was found and removed...just as before....I am afraid the trojan will reappear shortly. I need to completely remove the problem.

1 more replies
Relevance 85.28%

Hi,

My computer has been infected by Sirefef and Zeroaccess Rootkit. It has disabled my Microsoft Security Essentials, and I am unable to click on any options in MSE. I've tried running combofix, Rogue Killer, TDSS Killer to no avail. When I restart, the problem persists. Attached are the logs. Please advise. Thank you.
 

Answer:Assistance Removing Sirefef and Zero Access Rootkit

You need to run the below:

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad... Read more

6 more replies
Relevance 85.28%

hello!

i have a windows 7 proffestional 32 and i am infected with trojandropper:win32/sirefef.b
i removed it with superantispyware and it worked but after that i cauld not connect to the internet
it's stuck on identifying plz help me i am lost.

Answer:no internet after removing trojandropper:win32/sirefef.b

Welcome aboard Please download Farbar Service Scanner and run it on the computer with the issue.Make sure the following options are checked:Internet ServicesWindows FirewallSystem RestorePress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.

20 more replies
Relevance 85.28%

Hi,

First of all i got Internet Security virus, after removing that, i found that i have Sirefef.DT as well. After removing it with Malwarebytes, i can't connect to the internet, it keeps Identifying.

I found some similar posts. And tried to do netsh winsock reset and netsh int ip reset. But with no success.

What are the possibilities to restore my internet connection?

Answer:After removing Sirefef.DT lost internet connection

DownloadFSS Checkmark all the boxesClick on "Scan".Please copy and paste the log to your reply.

1 more replies
Relevance 84.46%

Hi

This damned rootkit has prevented the windows from starting up for the last 3 days and it has been really frustrating searching for solutions and getting no results.

The exact problem is I think I was infected with Sirefef rootkit ( as Avast alerts said ) but I never had url redirections and search engine redirections and such because Avast would block the actions every time, but after a boot time scan & removal of malicious files the computer won't start up; even in safe mode I get the error msg: STOP:c0000135 The program can't start because %hs is missing from your computer.
Things I have done so far:

Correcting the registry key and changing consrv to winsrv but no luck.
Using SFC command successfully as it said some files were repaired but still no success in getting past the BSOD. I even ran it for 4 more times but there were no more deviations found in files.
I also tried renaming winsrv.dll to consrv.dll and changed the registry value to consrv.dll to get windows to load but no luck there either.

And as of now I have access to KDE linux through Kaspersky rescue disk and also the options windows startup repair offers (command prompt and such)
On the same note, I can browse my harddrive freely and even execute SOME executable files using the Open file dialogue through Notepad.

And needless to say windows startup repair hasn't been able to do anything.

If you guys could help me out find what the missing file is and how I could logon... Read more

Answer:STOP:c0000135 error msg after removing Sirefef rootkit

Not to be the bearer of bad news, but sometimes malware permanently wrecks a Windows installation. As far as I knew, sirefef was a Trojan, but maybe they've upgraded.

Any rate, your best hope at this point is to recover your data and start over. I would even frag the MBR just to be safe.
 

1 more replies
Relevance 84.46%

Greetings and salutations!

I am writing to request help removing some trojans from my Windows Vista system.

I foolishly tried to watch a TV show online yesterday, June 12, 2013) around 4am. It was a sketchy site I'd never been to before, accessed using FireFox, and I was hit w/ some trojans. Windows immediately told me it had updated, and wanted to restart. That was suspicious, so I ran a full system scan w/ Microsoft Security Essentials, and then Spybot Search & Destroy.

MS Security Essentials identified these two files, and cleaned them:
Win32/Fereit.gen!C
Win32/Sirefef.A

Spybot Search & Destroy found some additional stuff, which I also deleted/fixed, but don't recall what.

I downloaded, installed, and ran Malwarebytes. It found some stuff, and cleaned it. Unfortunately, I didn't immediately enable the realtime protection trial, as I thought it wanted money. That is up and running now, and nothing was found on subsequent scans.

As part of my attempts at cleanup/protection, I installed something called SpywareBlaster, which appears to be similar to SpyBot in locking down host files. However, a bunch of stuff that Spybot used to kill at Startup is running again. That's a separate issue, but I wanted to mention it in case the SypwareBlaster software was relevant.

I deleted Adobe Flash, and Reader, to keep them from compromising me until I'm clean.

I deleted Java, to keep it from potentially addind something.

I re... Read more

Answer:Need help removing Win32 trojans in Vista: Fereit.gen!C & Sirefef.A

Your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
Go to add/remove programs and uninstall HijackThis.
Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.
After doing the above, you should work thru the below link

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0
 

3 more replies
Relevance 84.46%

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Answer:win32/sirefef.ab, win64/sirefef.p and win64/sirefef.m

Hi Gringo
Thanks for your help. my firewall is down and i am lost on what to do. i have done what you asked and hope its ok.
what is this sirefef ? seems like it wants to stay.

Scan result of Farbar Recovery Scan Tool Version: 16-05-2012
Ran by SYSTEM at 16-05-2012 19:15:34
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10151968 2010-05-20] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113296 2010-03-29] (NEC Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\... Read more

8 more replies
Relevance 83.64%

Hi, I have a laptop running Windows XP sp3. Microsoft Security Essentials detected the TrojanDropper:Win32/Sirefef.B virus and was able to remove it. However, from then on I have been unable to connect to the internet. Neither my wired or wireless connections are working

I have a second laptop that can successfully connect to the internet, so I know that my router is working and that my Ethernet cable is good.

When I open Network Connections, both the wired and the wireless connections show a status of "Connected".

When I run the Farbar Service Scanner, the log looks fine.

Any ideas?

Thank you for your help!

AgentH

Answer:Unable to access internet after removing TrojanDropper Sirefef.B virus

Welcome aboard Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:Internet ServicesWindows FirewallSystem RestoreSecurity CenterWindows UpdatePress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.

21 more replies
Relevance 83.64%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 83.23%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 83.23%

Hello! Please Help!

My antivirus started to warn me about blocking stuff a few days ago. I was using Bitdefender Total Security 2012. At first it found the threats and removed them but since this morning it started acting more weird. It wasn't able to remove them. I think it showed among others a trojan.sirefef.fy. I've changed my antivirus with Norton 360 but it didn't solve anything. I've installed Malwarebytes Anti-Malware which found another 2 trojans and rootkit.0Access. A second scan showed nothing. Norton 360 showed 2 threats and removed them. At last I ran Eset Online Scanner which now shows 7 threats. I'm really worried that my pc is compromised. I'm using Windows 7 with Firefox. Windows Update seems to be deactivated too.

Answer:trojan.sirefef.fy, Sirefef.Fd Trojan, rootkit.0Access problem

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

8 more replies
Relevance 83.23%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 81.59%

Hello,

It looks like I've picked up a nasty case of the Sirefefs!
I'm running a Vista x64 desktop machine and first noticed something was wrong at the weekend when my MSE suddenly stopped working - the icon turned red and showed an 'X'. I tried to restart it but kept getting an error saying somthing like it "wasn't installed on the system". Then I noticed when surfing on Google Chrome that it wouldn't allow me to log in to Facebook / Twitter etc and it would direct to a page saying that these sites had a "weak algorithm". After that I started getting re-directs on my IE and Firefox browsers too. So I decide to do a system restore which has been my saving grace on other occasions but I find to my horror that there are no restore points saved. I managed to get HSE re-installed and working and noticed that it was quarantining 'Sirefef.AC' and 'Sirefef.AH'. I ran MBAM and it found and took care of some stuff but everytime I boot up it comes back. I'm getting a general slow down in internet performace with the redirects as well as some random blue screens and crashes - I can't see what the blue screens say because it's so quick to crash. HSE is still blocking and quarantining things every now and then and I'm really limiting what I do on this PC until I get this thing licked.
I was going to just reformat and start over but a bit of Googling on another PC led me to this forum for help and maybe a slim... Read more

Answer:Infected with Sirefef.AC / Sirefef.AH

Hello RChappo , Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.I would go ahead and do a backup. Better to have an infected back up then none at all if something happens. 2.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If T... Read more

9 more replies
Relevance 81.59%

So these two things keep popping up, I've tried almost every other antivirus and malware removal, even tried deleting it from (C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini) using hiren. I don't seem to have any "issues" it just I would remove it and then after a couple of hours it'll show up again on MSE. MBAM doesn't detect anything anymore and so does every other scanner. Help?Hijack ThisLogfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:37:38 AM, on 6/2/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Realtek\LanOptimizer\LanOptimizer.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mionix\NAOS 5000 Laser Gaming Mouse\NAOS_Monitor.EXE
C:\Program Files (x86)\MSI Afterburner\Bundle\OSDServer\RTSS.exe
C:\Users\Byron\AppData\Loca... Read more

Answer:Sirefef.AB and Sirefef.P Removal

Hi,Please do the following:Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Copy/paste the text inside the Codebox below into notepad:Here's how to do that:Click Start > Run type Notepad click OK.This will open an empty notepad file:Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')http://www.bleepingcomputer.com/forums/topic455612.html

Collect::
c:\windows\system32\drivers\gifgohrw.sys
c:\windows\system32\drivers\mjknrfuj.sys
c:\windows\system32\drivers\dciifivj.sys
c:\windows\system32\drivers\quribcyz.sys

DirLook::
c:\programdata\~0

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | c:\windows\system32\services.exe

Driver::
crqwrzkr

ClearJavaCache::
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')Save this file to your desktop, Save this as "CFScript"Here's how to do that:1.Click File;2.Click Save As... Change the directory to your desktop;3.Change the Save as type to "All Files&qu... Read more

10 more replies
Relevance 81.59%

I have an HP laptop with this nasty little bug. Since it reboots every 60 seconds or so it is a pain to fix. The FRST file is attached. Any help is appreciated!

Wammer
 

Answer:Help with removal of sirefef.r/sirefef.ah

Search.txt attached also.
 

8 more replies
Relevance 81.59%

Hello,

Thank you in advance to anyone who can help me. I just got rid of the Security Shield virus and am now encountering a critical problem boot loop after seeing Sirefef.AB and Sirefef.P inside Microsoft Security Essentials.

I am able to navigate the web, however my computer only runs for a minute or 2 before the critical error pops up and have a minute until the automatic reboot.

Please, if anyone can help, I would really appreciate it.

Thanks,

Geoff

Answer:Infected with Sirefef.AB and Sirefef.P

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

4 more replies
Relevance 81.59%

I have a laptop with Windows 7 Ultimate 32 bit. MSE reports both Sirefef.AH and Sirefef.R. I have tried to remove them using both MSE and MalwareBytes with no success. The computer reboots before DDS or GMER can run. What should I do next?

Answer:Sirefef.AH and Sirefef.R infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

4 more replies
Relevance 81.59%

I have been infected with these Trojans and my computer restarts after 60 seconds regardless of user or safe mode. Mbam does not detect it, but Microsoft security essentials does. Could I get some help on how to not have an expensive paperweight?Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Answer:bleeping sirefef.ab and sirefef.p

Restart the PCPress F8 on bootupSelect REPAIR YOUR COMPUTERClick on REPAIROn the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptCan you get to this screen?If yesSelect System restoreIf you have restore point before you installed microsoft security essentials restore it or if you have restore point before you were infected would be fine

33 more replies
Relevance 81.59%

Hello all!

I'm a new member needing assistance with this nasty sirefef virus. Since this computer reboots after one minute of logging in I ran the FRST.exe tool like instructed by CatByte in the forum topic463661. Since the resolution is going to be specific to each computer, I have not turned the computer back on since these scans were performed.

I have included the results of the two scans below. Thank you in advance for help me with this infection!

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-08-2012
Ran by SYSTEM at 13-08-2012 12:55:23
Running from E:\
Windows Vista ™ Business (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [118784 2006-10-20] (CyberLink Corp.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\ronna.HEADQUARTERS\...\Run: [OutlookMessenger] "C:\Users\ronna.HEADQUARTERS\Desktop\OutlookMessenger.exe" /m [3121152 2006-01-21] (... Read more

Answer:Infected with Sirefef.AH and Sirefef.R

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

23 more replies
Relevance 81.59%

Hello. I've been reading up on the forums of a lot of cases of this sirefef virus floating about and of course I happened to get it. I'm running Windows 7 64 bit. I read the initial instructions and ran the Farbar Recovery Scan tool and have gotten my initial FRST.txt file and was hoping someone could take a look and help me get a fix txt to get rid of it. I'll just copy and paste the file and attach it incase someone wants to pull it of to look closer. Thanks!
 

Answer:Sirefef.AB and Sirefef.P removal help

Not sure if I made a mistake or not when posting, I figured I would wake up today to atleast one response. Let me know please everyone.
 

2 more replies
Relevance 81.59%

Hello,

I am having a problem that sounds very similar to what is described in http://forums.majorgeeks.com/showthread.php?p=1748408.

Shortly after starting Windows, I see a warning that Window will restart in 1 minute and then the machine reboots.

The reboot also happens in safe mode.

MSE finds Sirefef.Y and Sirefef.B but system always reboots before it's able to remove them. Have not been able to run Malwarebytes due to the rebooting in safe mode.

Thanks in advance!
 

Answer:Sirefef.Y and Sirefef.B on Win7 64-bit

You on Win7 or Vista?
If so run this:

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window typ... Read more

6 more replies
Relevance 81.59%

I am working on a system that reports having the sirefef.R and sirefef.AH trojan. I have removed the drive and scanned it with another computer with several different AV removal software programs until it reported the drive was clean. Once I put the drive back into the computer and booted, I get the same trojans reported and the computer keeps rebooting.

I ran FRST.exe and below are the results. Please Help!!

[edit] Inline log attached.[/edit]

 

Answer:sirefef.R and sirefef.AH Removal Help

Welcome to Major Geeks!

Please see number 5 in the below link.

Forum Rules and Guidelines

We require all logs to be attachments. Also please don't use such a small font. We read tons of messages and logs per day and our eyes take a beating.





luv2golf67 said:





I have removed the drive and scanned it with another computer with several different AV removal software programs until it reported the drive was clean.Click to expand...

The were all incorrect.

We need to get some additional information inorder to work up a proper fix as we need to replace at least one system file. Also make sure that all scans are run on the drive having the problem ( i.e., do not put the drive into another PC to run any scans unless requested. ).

Please run MGtools as requested in the below and attach the C:\MGlogs.zip file we need.

Using MGtools

 

1 more replies
Relevance 81.59%

I've looked through the other threads about these viruses. As I'll need a custom fix file, I won't hijack the other threads. Attached is my FRST log file, please help. Thanks!
 

Answer:Help Please - Need to remove sirefef.p and sirefef.ab

Welcome to Major Geeks!


Download this >>

View attachment fixlist.txt




Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and make sure you tell me how things are working now!
 

5 more replies
Relevance 81.59%

Today I noticed that my computer has been infected with the sirefef.b and sirefef.y viruses. I currently have McAfee and today I installed microsoft security essentials and thats when it stated that they were there. The only way i could stop my computer from restarting every minute and try to find a way to fix this was to uninstall MSE. Can you help me remove these viruses?

Answer:How do I remove sirefef.b and sirefef.y?

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

48 more replies
Relevance 81.59%

Hello!

Recently I discovered Microsoft Security Essentials and Windows Defender had been disabled on my computer (Windows 7 64-bit) and I couldn't turn them back on. Running Malwarebytes revealed an infection of Rootkit.0Access. MBAM couldn't remove it, but I tried running TDSSKiller and it was able to remove the infected files.

After restarting, I ran TDSSKiller again and it came up clean. Then I ran Malwarebytes again and now it was reporting the presence of two trojans, Win64/Sirefef.Y and Win64/Sirefef.B. Malwarebytes couldn't remove the trojans, and at this point I checked Microsoft Security Essentials and noticed it still wouldn't turn back on. I uninstalled MSE, downloaded a fresh copy, and reinstalled it. At this point it started to work correctly, found the trojans and tried to remove them... and then of course I found myself constantly restarting the way it seems many people with this malware have been

Any advice would be appreciated. I haven't been able to run the utilities asked for in the Malware Removal Guide, change settings, etc. due to the way the computer keeps restarting. (I see it's being asked that people disable Daemon Tools, which I do have installed and can't get to right now, argh.) Please note I have a second clean laptop available that I can make use of and I can burn DVDs, but I have no flash drives available.

Thank you very much!
 

Answer:Sirefef.Y and Sirefef.B on Win7 64-bit

Welcome to MajorGeeks, datenshi

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your fla... Read more

9 more replies
Relevance 81.59%

Sorry for another post on this but from my reading, the solution is computer specific.

I have the same problem as others, Microsoft antivirus finds the Sirefef files, removes and has me reboot only to find the files have returned.

I appreciate any help you can give me.

I believe the files needed are attached.

Joe
 

Answer:Another Sirefef.AB and Sirefef.P Post

I ran new version of combofix and computer seems to be clean.

I've attached combfix.log

Thanks:cool
 

4 more replies
Relevance 81.59%

Hello. I've been reading up on the forums of a lot of cases of this sirefef virus floating about and of course I happened to get it. I'm running Windows 7 64 bit. I read the initial instructions and ran the Farbar Recovery Scan tool and have gotten my initial FRST.txt file and was hoping someone could take a look and help me get a fix txt to get rid of it. Thanks!

Scan result of Farbar Recovery Scan Tool Version: 10-07-01
Ran by SYSTEM at 10-07-01 1:00:
Running from F:\
Windows 7 Professional Service Pack 1 (X6) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [171168 01-0-6] (Microsoft Corporation)
HKLM-x\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [5696 01-01-18] (Sun Microsystems, Inc.)
HKLM-x\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [871 01-01-0] (Adobe Systems Incorporated)
HKLM-x\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [6166 01-0-05] (Advanced Micro Devices, Inc.)
HKLM-x\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcodin... Read more

Answer:Sirefef.AB and Sirefef.P help needed

If any needs anymore info to help me out on this please let me know. I am completely stuck until I get any kind of feedback.

16 more replies
Relevance 81.59%

Somehow this got picked up on one of the office computers!
Did a lot of digging & tried several 'fixes', none of which has worked.
First off, the shutting down feature of this keeps me from getting very far with any of the fixes.
I've tried going to a command prompt & running shutdown -a, but I either get a response that a shutdown isn't in progress or one already is & it can't be stopped.

Kaspersky Rescue disk, seemed to find something on first scan, but didn't fix it & any scan since shows nothing.
Running Malwarebytes from the Hiren's CD doesn't find it (the message that it can't be run from mini XP was confusing...)

MS Security Essentials picks up on them, but of course, the computer shuts down before anything can be done.

At this point, I am almost ready to format & re-install, but figured I'd try my luck here & am open to suggestions!

Answer:Sirefef.R & Sirefef.AH infection...

Welcome texan767, Appears we will need a deeper look. Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't run (it may not on a 64 bit system) skip it and move on.Let me know if that went well.

1 more replies
Relevance 81.59%

Thanks for the quick reply...I went thru the list of items to do but the machine has become unstable and I have unplugged it from the web and am using a laptop to communicate. I have run the FRST64 and have the FRST log. Will that be enough to begin or do I need the DDS log as well. My MSE has identified the sirefef.AB and sireshef.P infection.

I am using Win 7 64 Pro

The computer in question will not allow the firewall to be reengaged it comes up with error code 0x80070424

Thanks
Russ

Answer:sirefef.AB and sirefef.P infection

Hello, I have also have run DDS and have the Defogger log as well...

16 more replies