Computer Support Forum

Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Question: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Hello all,

I'm a first time poster here and have come here looking for help in resolving my infection issue. I followed the directions in the read first thread and will post my logs. I am / was experiencing the following issues:


Firefox would redirect to various pages such as newsfudge.com. Since proceeding through the read first post, and also running goored? I have not noticed this recently.
Sometimes browsing seems to be incredibly slow, possibly related to the redirections.
Since attempting to troubleshoot this issue (Microsoft Security Essentials), it is believed that this is causing the following issue:

! You are about to be logged off
Windows has encountered a critical probelm and will restart automatically in one minute. Please save your work now.

If I let the computer restart itself, then this will keep happening. I have learned to "interrupt" it by running a normal restart after the message pops up. So far everytime the computer comes back I won't get the message. If I restart again, it will happen again. I haven't noticed anything in particular relating to this in the system log.

While not experiencing problems with the programs to resolve issues like this, I have noted that it has prevented me from patching games such as Rift. I believe this is related.
While working in safemode sometimes I noticed Adobe Flash 11.3 installer would frequently run trying to get me to install it. I do believe there was a massive security threat involved with this, and this could be how the virus remains on the PC.
While trying to troubleshoot the issue, I know part of the biggest threats were located:
C:\Windows\Assembly\GAC_32\Desktop.ini
C:\Windows\Assembly\GAC_64\Desktop.ini

Attached are the logs. Please let me know what else you would like me to do.

Relevance 100%
Preferred Solution: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Re: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restar

Welcome to Major Geeks!


Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Also allow Hitman to delete the C:\Windows\assembly\GAC_32\Desktop.ini piece of the infection
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
Reboot back into normal Windows and run another scan with HitmanPro and then attach the latest hitmanpro.zip log.
Also do the below:

Delete the below folders if found:
C:\Windows\installer\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}
C:\Users\Administrator\AppData\Local\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}


Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

C:\MGlogs.zip
Make sure you tell me how things are working now!

1 more replies
Relevance 113.97%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 102.08%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 100.92%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 100.34%

I recently downloaded a file and was later infected by Win32/Sirefef.AB and Win64/Sirefef.P viruses. Any help in resolving this issue would be greatly appreciated.
 

Answer:Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help

Welcome to MajorGeeks, Yellow77

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and f... Read more

3 more replies
Relevance 100.34%

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Answer:Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 100.34%

Hi guys,

Since yesterday I'm getting alerts from Microsoft Security Essentials about trojans in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

First I tried bootable live CDs from AVG and Dr.Web, scanned and cleaned PC with Microsoft Security Essentials, after it didn't helped, smoked Google a little and found your forum.

Read "READ & RUN ME", and here are the log files.

Huge thanks in advance
 

Answer:Trojans: Win32/Sirefef.AB and Win64/Sirefef.P

and here are 3 other logs..
 

4 more replies
Relevance 100.34%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 100.34%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 100.34%

Hello everyone,I just discovered this forum while searching for a fix to my problem. I stumbled upon this post [Thread @ Bleepingcomputer] and he has the exact same problem as I have, even though the name is different. It seems his problem was fixed through a few custom actions a member suggested to him, and I figured I was SOL with my problem and would need the help. So thanks in advance to whoever ends up helping me!So my PC was running a bit slow, but the thing that ticked me off was this popup that kept appearing randomly, even once triggering on youtube.com, a site which has never generated popups in the recent past. This nagged me so I launched MBAM and it found something called Trojan.Dropper.BCMiner and it failed to remove it after asking for a reboot. So I try a bunch of stuff, I don't really remember all I did since I fired in no precise order, ComboFix (which didn't start at first, but it did once I rebooted into safe mode later in the process), the kaspersky malware tool I've seen suggested a lot here(I don't remember the exact name), MBAM, a MSSE scan and SUPERAntiMalware. All of them failed at doing anything good. I also ran the avast MBR fix tool to no avail, it actually blue screened my PC.After I started reading on the topic linked earlier, I ran almost the exact same procedure, up to getting a FRST log, which I now do have. In the end, I'm having the same problem I had at the beginning, MSSE is crazy about the two desktop.ini files in... Read more

Answer:Infected with Win32/Sirefef.P and Win64/Sirefef.AB

Hi,I'd like to see an updated FRST log:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.... Read more

14 more replies
Relevance 100.34%

Hello. My antivirus picked up these two and I was wondering if anyone could help me remove them. I tried using dds to send you logs but no attach or dds txt pops up after using it,and I'm an amateur when using computers so I have no idea how to find those logs if they exist somewhere in my system. Hope someone can help.

Answer:win64 sirefef -btt and win32 sirefef - a detected

Hello SONYAns I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

4 more replies
Relevance 100.34%

Avast keeps detecting Win32:Sirefef-B, Win64:Sirefef-A, and sometimes Win32:Malware-gen.  Multiple scans detect & quarrantine files, but the trojan warning keeps popping up.  My friend ran ComboFix on it & claims that everything is fine now, but I'm concerned that he shouldn't have run ComboFix yet and also that it may not have actually removed this infection.  Here is my log from DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Michael Calhoun at 0:57:18 on 2013-10-07
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3034.1819 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\... Read more

Answer:Infected with Win32:Sirefef-BTT & Win64:Sirefef-A

Hello troyman5150 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 99.76%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 99.18%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 97.15%

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Answer:win32/sirefef.ab, win64/sirefef.p and win64/sirefef.m

Hi Gringo
Thanks for your help. my firewall is down and i am lost on what to do. i have done what you asked and hope its ok.
what is this sirefef ? seems like it wants to stay.

Scan result of Farbar Recovery Scan Tool Version: 16-05-2012
Ran by SYSTEM at 16-05-2012 19:15:34
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10151968 2010-05-20] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113296 2010-03-29] (NEC Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\... Read more

8 more replies
Relevance 96.57%

Hello,

I've been infected with Sirefef for a week now, tried system restore, Full system scans in safe mode, tdss killer, numerous Sirefef removal tools from Kaspersky, Eset, Symantec to no avail. MS SE still founds Sirefef reincarnations from time to time.

please help!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by The Great Dark Lord at 2:12:28 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8159.4495 [GMT 4.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Wind... Read more

Answer:Sirefef.P Win32 / Sirefef.Y Win64

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

33 more replies
Relevance 96.28%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 95.41%

I seemed to have picked this up last night. So far all I've done is when my anti-virus detects it, I've been moving it to anti-virus chest. When I ran the full scan though, it said it doesn't detect anything. Any help would be greatly appreciated.
 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 1.6.0_30
Run by Toni at 7:09:16 on 2013-09-10
Microsoft Windows 7 Starter   6.1.7600.0.1252.63.1033.18.2048.392 [GMT -5:00]
.
AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Common Files\Spigot\Search Sett... Read more

Answer:Win32:Sirefef-BTT [Trj], Win64:Sirefef-A [Trj], Win32:Malware-gen

Good evening.  Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder. To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...In the Extraction Wizard window that opens, click on Extract and the contents should appear in a new window. Please close all open programs as this may result in a reboot being necessary.Double click TDSSKiller.exe to begin.Click Change parameters and check the two boxes under Additional Options and then click OK.Click Start scan and allow the tool to do just that.One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.The log that the tool creates will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt. - i'd like a copy of the contents in your next reply.Please check that you get the one with the right date and time.   

19 more replies
Relevance 91.06%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 87.29%

Hi guys,

I'm running Windows 7 64bit OS. I recently found that Microsoft Security Essentials wasn't running and I had to reinstall it. Once I did it found these trojans.
I did a bit of research and read some other posts but it looks like there is a detailed and unique fix for each person.

I think I have done everything in the READ AND RUN ME thread, and I hope I have attached all the correct logs as requested.

The only problems I had were with MGTools. I got the following errors:
"The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"
and
"Application has generated an exception that could not be handled.

Process id=0xac8 (2760), Thread id=0xce4 (3300)"

Thanks for your time.

Cheers
 

Answer:Trojan: Win32/Sirefef.AB and Trojan: Win64/Sirefef.P

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-360523327-522932163-1323501305-1000\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : ... Read more

11 more replies
Relevance 87.29%

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Also this:
 

20 more replies
Relevance 87.29%

Hello everyone, sry if i make another post about this virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!
 

2 more replies
Relevance 87.29%

Hi, I'm from Portugal and I'm getting frustrated because I can't remove this virus.

Microsoft Security Essentials is finding 2 files I can't remove when I reboot the computer. When I reboot, MSE continues to find those files.

I'm running Windows 7 Home Premium Edition 64 bit service pack 1.

Please help me!

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P

Help me, please. I don't know what to do.

60 more replies
Relevance 87.29%

Hello everyone, sry if i make another post about this facking virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this facking bleep, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!

4 more replies
Relevance 87.29%

Hi there i kept getting a virus that AVG couldn't remove, which AVG wouldn't stop popping up about, so i tried a different anti virus software MSE, which seemed to have i would believe half fixed the problem as symptoms from the virus before like redirected webpages etc MSE managed to stop however MSE is having trouble dealing with Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK, now i saw a topic posted about the win32 1 which suggested to using combofix, which this site stats do not use unless asked too, so i wanted to do things by the book (or you guys about the problem) i have used combofix before on the same machine to remove another virus before a while ago (maybe a year ago?). a Step by step method of removing the virus' and what the virus' actually do so i know how bad it is for future reference. Thank you.Using an AZUS ROG laptop with windows 7.Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Answer:Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 87.29%

I recently downloaded the Sims 3 Pets from Origin. Think it's possibly not a coincidence that when I searched through the similar topics for the virus that people had the Sims 3 in their files. I checked the file location for something MalwareBytes picked up and it was created the day I downloaded this game. I can't seem to get rid of this virus. Microsoft Security Essentials, Windows Firewall and Windows Update will not turn on. When I scan with M Security Essentials and with M Security Scanner it gets to a certain point and then comes up saying there is a critical error and the laptop will restart in one minute. What can I do to get rid of this virus? I've uninstalled M Security Essentials now and have installed MalwareBytes. My details are:

64 Bit Operating System
Dell Inspiron N7010
Windows 7 Home Premium

The same restarting seems to happen on MalwareBytes. It's got to the same file on a quick scan three times:

C:\Windows\Installer\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\U

There are three files inside:

[email protected]
[email protected]
[email protected]

Once it's identified it, it says it urgently needs to restart.

Microsoft Security Essentials identified it as Win64/Sirefef.B

From MalwareBytes:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Bethany :: BETHANY-PC [administrator]

Protection: Disabled

11/08/2012 19:46:55
... Read more

Answer:Win64/Sirefef.B - MSE, Windows Firewall, Windows Update will not turn on - Restarts every minute when attempt to use M Security...

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

29 more replies
Relevance 87.29%

Hello people,

found the forums while browsing the internet for solutions to my problem. This thread here -> http://forums.majorgeeks.com/showthread.php?t=260886 , kind of has very similar problems to mine.

I'm running Windows 7 64-bit Home premium on a Dell laptop and yesterday found out that my firewall has been disabled for unknown period of time and reasons. I tried setting it to default but alas to no success. I also encountered the MSE bug and made the mistake to uninstall then re-install it in vain.

I managed to run Window Defender Offline who detected Sirefef.b trojan but with each restart and scan it finds it again even though I seem to remove it successfully.

I also tried clean Windows boot by disabling start-up items and services but the error message window for forced restart in 1 min persists.

Usually I would try to clean the PC by myself but from all the info I read over the web I was left with the impression that this is something beyond my abilities.

I tried searching for similar topics but the fact a specific fix file is needed I decided to go for a separate topic. Sorry for spam if I did something wrong.

Thanks in advance
 

Answer:Win64/Sirefef.b trojan detected and critical, auto-restarting problem

Welcome to MajorGeeks, AngelHart

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your fla... Read more

21 more replies
Relevance 86.42%

It appears that I have a trojan or trojans on my computer. Avast keeps telling me that either Win32 DNSChanger-VJ has been blocked or Win64 Sirefef-A has been blocked. I noticed that there are a couple of previous posts on similar trojans. Should I just read and follow one of those or does removal need to be tailored to my computer?
I have Toshiba Satellite A135 Windows Vista Home Basic, 32 Bit, Service Pack 2.
Thanks

Answer:Win32 DNSChanger-VJ/Win64 Sirefef-A

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

56 more replies
Relevance 86.42%

I recently purchased this laptop from a friend for a great price. After using the laptop I realize why it was such a bargain...

It had a Win7 fake anti-virus pop-up shortly after using it at home while I was in the process of trying to install avast! on the machine. By running a combination of rkill and MBAM I managed to remove the fake anti-virus and prevent it from rearing its head every time I tried to open any program. This didn't resolve the next issue of the DNS Changer though, not to mention any underlying issues I may not be aware of. After running a boot-time scan with avast! I discovered Win64:Sirefef-C (hiding inside of consrv.dll, my better judgement screamed "LEAVE IT ALONE"), and I also have the issue of Win32:DNSChanger-VJ being blocked by avast! every few minutes. If I disable avast! and attempt to do any internet browsing I got thrown all over the place. I'll never go to yellowpages.com again, that's for sure.

In the end, I ran out of options, so here I am, hoping that you good folks can get me out of this pickle (and a possible case of buyer's remorse! haha). My logs are below. Thanks in advance.

Guy

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Run by Guy at 4:14:05 on 2011-12-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2804.1488 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
... Read more

Answer:Win64:Sirefef-C / Win32:DNSChanger-VJ

Hi Guy! Welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thi... Read more

15 more replies
Relevance 85.55%

Good day Sir

I am currently using AVG anti-virus. I discovered yesterday that my pc was infected with the above when a pop up appeared from AVG Resident Shield Alert.
Filename : c:\WINDOWS\System32\services.exe
Threat warning: Trojan horse patched_c.LZI detected when open

I searched online & followed to thsi forum. I ran esetscan & found this:
C:\Downloads\Software\apex-video-converter-free.exe multiple threats
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Agent.BA trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Sirefef.AE trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] a variant of Win32/Sirefef.FD trojan
Operating memory a variant of Win32/Sirefef.EZ trojan
I would appreciatte whatever help in overcoming this threat.

Thank you & looking forward to your advice.
D

Answer:Win64/Agent.BA trojan, Win32/Sirefef.FD trojan & Sirefef.AE trojan

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

21 more replies
Relevance 85.26%

My security alert says I have these four viruses and all attempts to clean them using microsoft forefront client security have failed. Besides, the computer shuts down every couple of minutes. Please help, I am frustrated.

Answer:Please help me rid my laptop of win32/sirefef.an, sirefef, sirefef.ao, and sirefef.ag

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 84.68%

Hi, I am a first time poster on this forum, joined because I have used this site for reference in the past. 2 days ago my Microsoft Security software quarantined the "win64/sirefef.b" trojan. Yesterday, I found out I wasn't able to access the internet anymore because my Base Filtering Engine service was removed. I found directions online and reapplied that file and was able to connect to the internet (perhaps I should have come on here first) and started running MBAM. Halfway through, a bunch of "critical error" notices popped up and "SMART HDD" started running. My Windows Security software then noted the existence of "bumat!rts." At that point my PC automatically rebooted and the next time my files became hidden and background became totally black.

My question to anyone that may help is this: I've search this site for similar issues and was wondering if "sirefef.b" infections can be totally eradicated, I see that it's pretty severe. If it cannot be totally removed I wish to do a re-install of everything. I have a Toshiba Satellite lap top with the following CD's created after initial purchase: Toshiba Recovery Discs, Drivers Recovery Disc, and the Windows Environment Recovery Disc. Will I be able to get the laptop back to factory condition? What method is easiest?

I don't have another pc at home and therefore can't access the web. I can only check while at work.

Any help would be gla... Read more

Answer:Trojan (win64/sirefef.b)(win32/bumat!rts)(Smart HDD)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

13 more replies
Relevance 84.68%

Good evening. I hope I can get some help. Running Windows 7; experiencing browser search result links being redirected; security and anti-malware protection can detect but not permanently remove backdoor and trojan malware; no other obvious symptoms present as yet. Likely rootkit infection? DDS.txt is as follows:

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Doctor at 17:24:13 on 2011-08-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3959.2170 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k net... Read more

Answer:Trojan: Win64/Sirefef.B and Backdoor: Win32/Cycbot.B

Additional symptom observed: MS security essentials updates disabled, "Error code: 0x80070422"; Windows 7 Firewall settings cannot be accessed, same error code.

41 more replies
Relevance 78.3%

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

Answer:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

4 more replies
Relevance 78.01%

Last night I was attempting to find a unicorn game for my daughter to play and I went to a site that told me I had to update or install a flash player I clicked thru to prompts to update or install and immediately got a pop up that Windows was shutting down in 60 seconds. I have managed to get around this error by hitting F2, F8, choosing Repair Windows and System Restore I restored it to the day before this happened. I have followed all of the instructions thus far. I got to the part where I download and launch and update malware antibytes and my problem returned advising me the system would shut down in 60 seconds and I was unable to launch any of the other downloaded tools. I had to do system restore to post this. The only one that I could run was the Rogue Killer. I am attaching that file. Thanks So Much for your time.
 

Answer:Win64 Sirefef Windows 7 Pro

Go to Start Menu > Run > (Type in) shutdown -a Now are you able to continue on with the Read and Run Me?
 

13 more replies
Relevance 76.56%

following instructions from my previous posting. at first the tools seemed to clear the search engine redirection, but GMER still shows a problem. Tech decided to send me to this forum, and I started again with step 6 on the guide. DDS worked well. Tried to run GMER with the new instructions, and it stops after about 40 min. Attempts to sneak the GMER through with a scrambled name failed. So I ran it for 25 min and stopped the scan and that is what I am posting.If it runs long enough the virus apparently stops the scan and I have a gray screen and have to turn off the laptop and turn it back on and try again. I ran CD emulation disable, and it said "finished" but I can't tell if I had anything to disable, since I got no further instruction from that program. Laptop seems to be working well with no redirection but tech thinks the virus is still present.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MARK at 22:46:15 on 2012-04-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2118 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\... Read more

Answer:win32/sirefef.ac and win32/sirefef.ah redirecting trojans?

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send ... Read more

15 more replies
Relevance 75.4%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 75.4%

First of all, thanks to the ones who will help me getting rid of these menaces.

History: one or two days ago, while I was surfing the internet, a "flash player update" showed up, I gave it the permission to run, but as soon as it finished I was redirected to a page of adobe's site where there was written that the version of flash player I installed was not the last one. Then the pc started to freak out with this program, Live Security Platinum, that wanted to force me to acquire a license. Fortunately, I managed to remove Live Security Platinum with MalwareBytes anti-malware, but then my antivirus (ESET Nod32, ver 5.0.1) continously showed two advices, the former about Win64\Sirefef.AL trojan, wich was continuously sent to quarantine but always showed up again; the latter about Win64\patched.b.gen trojan, that NOD32 was "unable to clean", so I tried to use a restore point of a week ago. The pc seems to work normally, and NOD32 doesn't show those advices anymore, but when I try to open gmail with firefox it says "Firefox has detected that the server is redirecting the request for this page so that it can never be completed.", so I think the trojans are still here somewhere.

Yet again, thanks to who will help me

Answer:Pc infected by win64\patched.b.gen and win64\Sirefef.AL

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

18 more replies
Relevance 75.4%

Hey,

Since today I got a problem with ESET not deleting some trojans, namely Win64/Sirefef.AL, Win64/Patched.B.Gen. ESET is popping up the threat quite often, but can't remove them.
I don't have any clue what to do about it. Can anyone help me?

Greetings

Answer:Win64/Sirefef.AL, Win64/Patched.B.Gen (services.exe)

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

17 more replies
Relevance 75.4%

Just saw this, Eset started acting up today. I did see a process running in process explorer, but didn't get a good look at it before I ended it. Said to my self, might as well give it to the experts.

Answer:Win64/Patched.B.Gen trojan & win64/sirefef.w

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

17 more replies
Relevance 105.37%

I have been following the instructions on the Tutorials "How to remove a trojan virus..." but am still finding troubles with the Firewall. In the meantime I downloaded and installed ZoneAlarm as a firewall. I use Windows Security Essentials, and that had been shut down too. I uninstalled that, and reinstalled a new copy, but it won't ever allow the downloads of the recent definitions. I managed to update the definitions today and it found Trojan:Win64/Sirefef.AC and removed it.

Any help would be greatly appreciated. Thank You.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by beanefamily at 22:06:21 on 2012-09-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2000 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestric... Read more

Answer:Had/Have Trojan:Win64/Sirefef Infection, cannot turn on Windows Firewall

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

13 more replies
Relevance 105.37%

Im running windows 7 32bit with ASAST trial version antivirus software. I keep getting the following pop up

TROJAN HORSE BLOCKED
OBJECT C:\windows/installer\{a845e5fe-62db-bf60-4bc8-75089fd10fa0}\U\[email protected]
INFECTION Win64:sirefef-AHF [Trj]
Process c:\windows\system32/services.exe
action moved to chest

I have tried to delete several times but this trojan wont go away. Please help!

Answer:WINDOWS 7 32 BIT AVAST -TROJAN Win64:sirefef-AHF FILE [email protected]

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

2 more replies
Relevance 104.96%

A few days ago I started having issues with Google redirecting me to random ad websites, as well as Flash Player update popups. I updated my Microsoft Security Essentials, and since then it has been warning me with the presence of the file names in the topic title, and giving me the option to remove them. I select the removal option and everything is fine for a time but then MSE pops up again warning me of the same files. Anything you could do to help me get rid of these is greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Dave at 14:15:54 on 2012-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4031.2141 [GMT 10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\... Read more

Answer:Infected With Alureon.FP, Sirefef.B, Sirefef.W, Sirefef.AB & Sirefef.J

Download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itIf you can have an open Internet connection, allow it to download the latest Avast engine detections.If avast! antivirus is already installed, just do the next step.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Attach this file to a reply.

3 more replies
Relevance 104.55%

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] I hit "remove all" every time it appeared. BC Advisor responded "That?s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed ... Read more

Answer:Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Hi,

Do you have an empty USB flash drive?
We can try an alternative method.

Regards,
Georgi

more replies
Relevance 102.5%

A few days ago, I got the Sirefef.AB and Sirefef.W virus on my computer. I had no idea the severity of my problem until after I reinstalled MSE which has now caused my computer to constantly restart. I have used Farbar to create a FRST.txt and Server.txt file, though I do not know if that will help on this site in the removal of this blasted virus, and I will wait to post it until I have been instructed if I should do so. I really am at a loss here. I am not that great with computers, and could really use some help.

Edit: Added note, for the short while before I reinstalled MSE, I was having redirection problems when clicking on Google links. It also restarts in Safe Mode.

Answer:Sirefef.AB and Sirefef.W for Windows 7 Infected Computer with Constant Reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 102.09%
Question: Win64\sirefef.y

Hi All

I'm working on removing sirefef.y from a friend's computer. The operating system is 64 bit Vista. I've seen other posts and they specify that the fix file is unique, so I'm making a new post.

I've attached the standard FRST.txt and the search.txt (searching for services.exe) as done in other posts. Both were done in system repair mode.

Help on this will be much appreciated.
 

Answer:Win64\sirefef.y

Welcome to MajorGeeks, psquared76

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now reboot normally and remember to attach your Fixlog.txt.
 

8 more replies
Relevance 102.09%
Question: Win64/Sirefef

Hello,

A few days ago I was using my Windows 7 PC on the Internet and noticed a few strange things. First, searches on google would bring back an odd certificate error message. Second, started getting some random pop-up windows with various advertisements. Last, Microsoft Security Essentials (MSE) was not active and I could not make it so.

I tried a few of my standard things - SuperAntiSpyware and Malwarebytes. SuperAntiSpyware only found tracking cookies. Malwarebytes did eliminate a few things. However, after a few reboots MSE was still not running. I decided to uninstall and reinstall MSE. That's when interesting things started to happen. The next scan found Trojan: Win64/Sirefef (and various variants at different times .W, .AA, .AB, .AN, .P). For awhile, MSE kept forcing reboots as it was trying to clean the files but then they would pop back up on reboot.

Yesterday I posted in the "Am I Infected?" forum. After providing a number of logs and following some instructions, there are some infected files that can not be removed. I was directed to open a topic here. The "Am I Infected" topic is: http://www.bleepingcomputer.com/forums/topic459471.html

I have followed the steps in the Preperation guide. Most steps were sucessful with the following exceptions:
5) I could not enable the Windows Firewall. When I tried to use the default settings, I got the message "Windows Firewall can't change some of your settings. Error code 0x80070242"... Read more

Answer:Win64/Sirefef

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

17 more replies
Relevance 102.09%
Question: Win64/Sirefef

This is a scan i did just this morning from the system recovery console.

I've tried removing the virus with Microsofts removal tool, MBAM, Superanti-spyware and the computer repairs itself because it won't boot. I would appreciate any help. I've spent hours so far trying to remove the viruses. Thanks ahead

Scan result of Farbar Recovery Scan Tool Version: 08-08-2012
Ran by SYSTEM at 08-08-2012 07:55:42
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-09-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-09-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-09-07] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-18] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [DellStage] "... Read more

Answer:Win64/Sirefef

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt 0 9e85bf7ff8e6964d; C:\Windows\System32\Drivers\9e85bf7ff8e6964d.sys [74184 2012-06-21] () ATTENTION =====> Rootkit?
C:\Windows\System32\Drivers\9e85bf7ff8e6964d.sys
C:\Windows\Installer\{e5aa47ef-3909-519c-e2e7-95e78d049088}
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options again.Select Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close... Read more

2 more replies
Relevance 102.09%
Question: Win64:Sirefef-A/AO

Hello, I do not know where I got it but today Avast started saying "trojan horse blocked" or "rootkit blocked" every 30 seconds or so. Avast says the virus names are Win64:Sirefef-A[trjn] and win32:sirefef-AO[rtk]. All of the Sirefef-A files located in c:recylcer and there are very many of them in Avasts virus chest at this point. I have been trying to research it on Google and am worried if it can get any information from me checking my bank online. Even in safemode virus scans cannot find anything and I am starting to realize handling this is outside of my capabilities. Any help would be very much appreciated,thank you for your time!
Levi

Answer:Win64:Sirefef-A/AO

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 102.09%
Question: Win64/Sirefef.B

My wife's laptop - running 64 bit Vista - appears to be infected with the Win64/Sirefef.B rootkit. The biggest issue right now is that whenever you logon to the computer, a pop-up box appears saying that a Critical Error has been detected and the computer will reboot in one minute. And it does. It exhibits the same behavior when booting into Safe Mode, as well.

I've downloaded and executed the Kapersky boot disc and the MSE boot disk, both to no avail. Neither one, at this point, reports having found anything. However, after running MSE, on the first reboot only, Windows MSE runtime will find and report the Win64/Sirefef.B infection. However, because the computer reboots, MSE is unable to take any action against the infection.

Help?

Thanks,
Lee

PS - Since the computer reboots within one minute, I am unaware of how I can generate the log files as requested.

Answer:Win64/Sirefef.B

Welcome to the forum, shoppedude!See if you can do the following in the short span you have available...Do you have the Repair your computer option in the Advanced Boot Options menu?To find out: Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.Is the Repair your computer option listed?If you do not have the option above, do you have a Windows Vista installation CD/DVD available, or, access to another Windows Vista Computer? And last, do you have a USB flash drive available?

1 more replies
Relevance 102.09%
Question: Win64/Sirefef.p

We have a laptop here that has this running on it just like the other threads. I ran FRST and have the text file from that attached. Thanks for the help and info! I should add that the computer has started up without the restart issue that it causes after I ran FRST. Im going through a full scan with MSE. Is any further action needed?
 

Answer:Win64/Sirefef.p

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.
 

4 more replies
Relevance 102.09%
Question: Win64/Sirefef

Microsoft windows essential found a virus win64/sirefef and many of its variants, but is unable to remove it properly.
Every time I try to remove the virus/Trojan, the computer says "Windows has encountered a critical problem and will restart in one minute." I then need to do a system restore to stop the message from appearing when I restart the computer.

Any help is appreciated.

Answer:Win64/Sirefef

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

10 more replies
Relevance 102.09%
Question: Win64/Sirefef.P

My PC seems to be infected with Win64/Sirefef.P. I saw in a previous post being asked to run FRST, so I went ahead and did that. Attached are the 2 txt files. If this is incorrect/anything else is needed, just let me know. Any help is greatly appreciated. Thanks.
 

Answer:Win64/Sirefef.P

Welcome to Major Geeks!

Download this >>

View attachment fixlist.txt




Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and tell me how things are working.
 

3 more replies
Relevance 102.09%
Question: Win64:Sirefef-C

My computer was infected with some malware, so I used malwarebytes in safe mode, which removed alot of malware. But when I started my computer backup some thing called system fix started and I restarted in safe mode with networking, used a search to find out how to remove it. I found the removal guide here and during the rkill download, system fix started while I was in safe mode. I finally got rkill to run before it could and then used Malwarebytes, which found and removed it. I then started up normally and used the Unhide.exe but noticed that when I searched for sites I was being redirected. Not only that now I can't seem to get Windows firewall to work. It says Error code: 0x8007042c, my restore points are missing and not everything is back like my desktop background. Plus the System Fix icon is on the desktop still.

I am way over my head, sorry for the life story.
This may be a better description of the problem: http://www.bleepingcomputer.com/forums/topic436503.html/page__pid__254

Here is the DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Rizu at 16:27:20 on 2012-01-11
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3033.58 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLa... Read more

Answer:Win64:Sirefef-C

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

11 more replies
Relevance 102.09%
Question: Win64 Sirefef.B

MSE keeps detecting this.
Malware Bytes, MSE, and Ad-Aware scans clean, but this thing keeps coming back.
Firefox keeps opening 2 windows every time I visit a new page.
My firewall basically disappears and trying to re enable its service gives me an error saying its not installed.
I don't know how this happened, gone for a few days so probably a family member.

Any help getting rid of this would be appreciated.

edited for logs

Answer:Win64 Sirefef.B

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

14 more replies
Relevance 100.86%

Running Win7 (x64). First noticed a problem when I booted and my desktop icons were in the wrong places (and medium instead of small). Then Norton Internet Security 2012 (fully updated) reported an error related to the Base Filtering Engine. Since then I've tried various things with the following results:

Norton Internet Security:

Reports that it has blocked [email protected] (Trojan Zeroaccess) and [email protected] (Trojan Zeroaccess) repeatedly. It has also blocked attempts by services.exe to target RMTray.exe (part of Norton, I believe).

Malwarebytes Anti-Malware:

I've run this several times (both quick and full scans; both regular and safe mode). It kept finding a rootkit in the windows\installer folder, but the most recent scans no longer report this.

Hitman Pro

I've run this several times (both regular and safe mode). It finds \windows\system32\services.exe and reports it as Virus.Win64!IK and Virus:Win64/Sirefef.B. It suggests Replace as the fix. I've tried this several times. In Safe Mode, it doesn't tell me it failed, but it doesn't seem to have fixed the problem. In standard mode, while it is trying to fix the problem I get an error telling me that Windows will reboot in 1 minute (and it does). However, as of this morning (and after posting the original help request), Hitman Pro is no longer reporting the virus (though Norton still seems to be stopping something...).

I've also run the McAfee rootkit tool, the Micr... Read more

Answer:Win64/Sirefef.B infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

51 more replies
Relevance 100.86%

Hello, my Norton antivirus subscription ran out last week and I switched to Microsoft Security Essentials. After installing it, I tried to update its definitions, but the computer began restarting after startup. I get the critical error message saying my computer will restart in one minute. This occurs in all 3 safe modes immediately after logging into Windows. MSE says I have win64/sirefef.y and win64/sirefef.b but it cannot remove them before shutdown occurs.

I have windows vista, 64 bit on the computer. My girlfriend has a laptop, so I'll be able to access the Internet directly while working on the infected computer. I looked at other posts on the forum and took the liberty of running frst64.exe and got the two logs everyone seems to ask for initially. They are posted below.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<FRST64.exe>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 20-07-2012 00:45:30
Running from F:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...�... Read more

Answer:win64/sirefef.y and .b on Vista 64 bit

HiPlease do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
HKLM-x32\...\Run: [] [x]
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
replace: C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a ri... Read more

8 more replies
Relevance 100.86%

My computer is infected with Win64/sirefef.y, b, ab, w, and m. It reboots within 60 seconds of logging in, both in normal and safe mode. Actually, it even reboots if I let it sit at the user logon screen. It reboots too quickly for any antivirus or anti-malware to disinfect it. I have run the Farbar Recovery Scan Tool - 64 bit and attached the logs (FRST.txt, Search-Explorer.txt, and Search-Services.txt). I guess I need a fixlist.txt file now. Could someone please create one for me? I would be forever grateful. Thanks, Ginger

Answer:Infected with Win64/sirefef.y, b, ab, w, and m

Please ignore the previous post. The computer is running Vista, so I'm just going to wipe it out and install 7. Thanks

1 more replies
Relevance 100.86%

Hi my step dads computer has this virus and its kicking my ass. Its restarting every minute and i cant do anything. I have run frs. and here is the log.
can result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01
Ran by SYSTEM at 03-10-2012 20:56:07
Running from D:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2012-02-02] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2012-02-02] (IDT, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel? Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2012-02-02] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company... Read more

Answer:Trojan Win64/Sirefef.Y

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 100.86%

Hi,

On approximately the 8th of July Microsoft Security Essentials alerted me to state that Win64/Sirefef had been found on my system and that the associated files had been quarantined. At the same time I was received a fake Flash update prompt which I would not stop appearing, when I looked in Task Manager a found a randomly named EXE file and closed this which closed the Flash prompt. I then cleared the quarantined files from MSE and manually removed the folders where the files had been located. I then did a full system scan with MSE and ESET Online Scanner which if I recall correctly did not find any infected files. However last week when helping a friend with a virus infection I ran some other tools on my system with makes me think MSE did not managed to stop the infection completely, below is an extract from a rogue killer scan I did which I believe indicates a potential ZeroAccess infection.

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Jamie [Admin rights]
Mode: Scan -- Date: 07/22/2012 15:44:56

??? Bad processes: 0 ???

??? Registry Entries: 6 ???
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Jamie\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n.) -> FOUND
[HJ] HKCU&... Read more

Answer:Win64/Sirefef / ZeroAccess

Hello and welcome to Bleeping Computer! I am D-FRED-BROWN and I will be helping you. Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.----------Step 1----------------I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer. Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
Note: Do not choose Cure or Delete unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually ... Read more

7 more replies
Relevance 100.86%

My computer is infected with Win64/sirefef.y, b, ab, w, and m. It reboots within 60 seconds of logging in, both in normal and safe mode. Actually, it even reboots if I let it sit at the user logon screen. It reboots too quickly for any antivirus or anti-malware to disinfect it. I have run the Farbar Recovery Scan Tool - 64 bit and attached the logs (FRST.txt, Search-Explorer.txt, and Search-Services.txt). I guess I need a fixlist.txt file now. Could someone please create one for me? I would be forever grateful. Thanks, Ginger
 

Answer:Infected with Win64/sirefef.y, b, ab, w, and m

Welcome to Major Geeks!


Download this >>


Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run MGtools as requested in the below and attach the C:\MGlogs.zip file that it creates.

Also attach Fixlog.txt from FRST.
 

3 more replies
Relevance 100.86%

Hello. Pardon my newbness on this one but I'm having some serious issues trying to remove all infections from a PC.

Currently running Windows Vista Home - 64bit

I've managed to remove a fake FBI moneypak infection but can't seem to remove all "found" infections.

Microsoft Security Essentials has identified a Trojan:Win64/Sirefef.AH located...

containerfile:C:\Windows\system32\services.exe
file:C:\Windows\system32\services.exe->731
process:pid:684

All actions( quarantine, delete, disinfect) are all thwarted

Please help!!!!!!

Answer:Infected w/ Win64/Sirefef.AH

You got a nasty virus there and will need elevated helpPlease follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 100.86%

Hello, I have read many responses to this issue and was hoping I would be able to get some help with this issue.

History:
Originally I was seeing page redirects and Microsoft Security Essentials was giving me errors. I ran Avast pre-boot scan and cleaned, everything seemed fine. I checked MSE and it was still having the same issue, I reinstalled and now I am seeing it discovered Win64: Sirefef.B Virus. Since then, almost immediately after each boot I am getting a pop-up stating Windows will restart itself. I cannot stop the shutdown, no strange services to my knowledge, and this occurs in safe mode as well. System restore has not been able to help.

Because of the short reboot window I have not been able to fix much - I have attached the Farbar results. Any help is greatly appreciated!!
 

Answer:Win64 Sirefef.B has beaten me, please help

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

You now need to follow these peocedures and attach all of the requested logs after doing so.

READ & RUN ME FIRST. Malware Removal Guide
 

22 more replies
Relevance 100.86%

As far as I know my computer is infected with win64/Sirefef B and win64/Sirefef Y. I tried removing it with Windows Defender Offline which didn't succeed. I do not have a Windows boot CD / install disc.

PS. Ark.txt isn't included in the ZIP file since I'm not running a 32 bit version, I hope I understood this correctly.

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by T.M. Meijers at 18:47:21 on 2012-10-20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1033.18.3948.2429 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwor... Read more

Answer:Logs - win64/Sirefef B + Y

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In ... Read more

11 more replies
Relevance 100.86%

Hey everyone. I'm not the most savvy with computers so if you could bare with me I'll try my best. I tried to follow all the instructions for the board rules ahead of time, forgive me if I missed something I'll try to amend.

Problem: NOD32 discovered a couple of weeks ago an issue it was unable to clean. I've tried following other guides in safe mode to directly remove the trojan, however nothing has been specific to this issue. What it does I haven't a clue. But when I try to update my clock (usually runs 1-2 minutes ahead) it will say windows had a critical error). It will send me through a loop of starting and restarting my computer after 1 minute with "Windows has encountered a critical problem and will shut down in 1 minute". I fixed this through system restore I guess when I changed the time it went haywire. Furthermore, when I try to delete services.exe from my task manager the same message pops up. I've tried safe mode and it gives me the same issue if I try to delete services.exe. Furthermore, randomly I'll have music playing for ads like jungle.com or other nonsense. There's the problem, let's solve it.

This is where the trojan is located:

C:/Windows/Installer/{00b520a8-9697-e321-8b92-12fdae1b7498}
C;/Windows/system32/service/.exe

NoD32 says unable to clean both.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by Brandon Singh at 16:07:37 on 2012-08-14
Mic... Read more

Answer:Help With win64/sirefef.al.trojan

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

24 more replies
Relevance 100.86%

Dell laptop has sirefef.b trojan sirefef.j trojan and win32/alureon.TK

These are all trojans.

The laptop has MicSecEssentials, and malwarebytes free version, both of which I put onto the computer after the viruses were there.

system Specs:
Dell Inspiron
intel i3 2130 2.3 ghz
4gb ddr3 ram
hd graphics 3000
Win 7 64

I wanted professional help to deal with these problems and I do not trust many random websites. Please assist! Any help will be greatly appreciated.

-Mike

Answer:Trojan win64/ sirefef.b and .J

This is safe - and you are right to be wary...

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

7 more replies
Relevance 100.86%

Microsoft Security Essentials(which is only thing that picks it up) detected Trojan:Win64/Sirefef.B at C:\Windows\system32\consrv.dll but each time it says it removed or it says not found and it just keeps coming back haven't tried anything else to remove and also haven't noticed much change in way of performance or operation of the computer.

Answer:Trojan:Win64/Sirefef.B

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

19 more replies
Relevance 100.86%

Hello, I am looking for a way to remove the Win64/Sirefef.AB trojan. I followed some of the other threads and I have ran the FRST64 tool my the output text file is attached here, I appreciate any help that is available.
 

Answer:Trojan:Win64/Sirefef.AB

We need some additional information so that we can replace an infected system file.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.
 

4 more replies
Relevance 100.86%

Hello, I am having some trouble with removing the sirefef infection. I am running Windows 7 home premium 64 bit, I have already run FRST64 and here are the results.

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 19-07-2012 13:36:31
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [161304 2010-08-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2010-08-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [415256 2010-08-10] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA�... Read more

Answer:win64/sirefef.p infection

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

20 more replies
Relevance 100.86%

Running Win7 (x64). First noticed a problem when I booted and my desktop icons were in the wrong places (and medium instead of small). Then Norton Internet Security 2012 (fully updated) reported an error related to the Base Filtering Engine. Since then I've tried various things with the following results:

Norton Internet Security:

Reports that it has blocked [email protected] (Trojan Zeroaccess) and [email protected] (Trojan Zeroaccess) repeatedly. It has also blocked attempts by services.exe to target RMTray.exe (part of Norton, I believe).
Malwarebytes Anti-Malware:

I've run this several times (both quick and full scans; both regular and safe mode). It kept finding a rootkit in the windows\installer folder, but the most recent scans no longer report this.

Hitman Pro

I've run this several times (both regular and safe mode). It finds \windows\system32\services.exe and reports it as Virus.Win64!IK and Virus:Win64/Sirefef.B. It suggests Replace as the fix. I've tried this several times. In Safe Mode, it doesn't tell me it failed, but it doesn't seem to have fixed the problem. In standard mode, while it is trying to fix the problem I get an error telling me that Windows will reboot in 1 minute (and it does).

I've also run the McAfee rootkit tool, the Microsoft Malicious Software Removal tool, and maybe a few others, all without any success.

Based on other messages that I've seen here, I downloaded and ran some of the other diagn... Read more

Answer:Win64/Sirefef.B infection

I apologize for the duplicate posts. It looked like Windows hadn't registered the "Post" click so I mistakenly tried clicking again. Please delete the duplicate post if possible.

3 more replies
Relevance 100.86%

Hello,

Yesterday, I was using my Windows 7 PC on the Internet and noticed a few strange things. First, searches on google would bring back an odd certificate error message. Second, started getting some random pop-up windows with various advertisements. Last, Microsoft Security Essentials (MSE) was not active and I could not make it so.

I tried a few of my standard things - SuperAntiSpyware and Malwarebytes. SuperAntiSpyware only found tracking cookies. Malwarebytes did eliminate a few things. However, after a few reboots MSE was still not running. I decided to uninstall and reinstall MSE. That's when interesting things started to happen. The next scan found Trojan: Win64/Sirefef (and various variants at different times .W, .AA, .AB, .AN, .P). For awhile, MSE kept forcing reboots as it was trying to clean the files but then they would pop back up on reboot. I think I managed to get control back from MSE, but I am at a loss on how to proceed. I did some searches on Sirefef and realized I need some help. Please let me know what information to provide.

Thank You!

Answer:Trojan: Win64/Sirefef

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 100.86%

Hello Everybody,
Can you please help with the infection some tools detect them and remove but not completely they keep popping up every 5 mins and shutsdown.
I really dont want to reinstall os...

Thanks In Advance!
Chinn

Answer:Win64/sirefef.y problem

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

12 more replies
Relevance 100.86%

I am helping a friend who used your guides to try to remove the "Live Security Platinum" malware.

She followed the guide, but while running Malwarebytes in safe mode, a message stating Windows encountered an error and was restarting in 60 seconds appeared. In about 60 seconds, Windows restarted before Malwarebytes had completed.

From that point on starting Windows normally, in Safe Mode, and Safe Mode with networking results in the above message, and a restart in 60 seconds. She tried running FixExec as mentioned in the Guide. I helped her and got it to run in Safe Mode before it restarted, but the restart message continues.

I restored to an earlier restore point about 1 week before the symptoms occurred. That seems to have stopped the restart message. The computer runs in all modes, and does not seem to have any errors.

I do not trust the clean-up. Any suggestions on how to be sure the machine is clean(er)?

Thanks for your attention.

jfparla

Answer:Trojan:win64/Sirefef

Boot the PC into safemode with networkingDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive)DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

13 more replies
Relevance 100.86%

I'm trying to help my mother in law whose Windows 7 64-bit computer is apparently infected with Sirefef / Sirefef.Y
Shortly after startup, I get the critical error message saying my computer will restart in one minute. I can't seem to stop it from doing so, even in safe mode, so there isn't time to remove the trojan using Malware Bytes. I have Security Essentials too, but no luck removing this (also the 60 second restart is an issue).

Can someone please guide me through what I need to do? Thanks!!

Answer:Trojan Win64/Sirefef.Y

Hello, will the same thing happen in Safe mode (try all three safe mode options)?

4 more replies
Relevance 100.86%

Hi

My spouses laptop picked this trojan up ,earlier today win64/Sirefef.Y infection with auto rebooting, I read Mathews post but being the script was written specificlly for his machine, I thought I would make a seperate post. I managed to run FRST and grab a log "see below" I'm posting from a different machine and disconnected my spouses laptop from the network. Thanks for help a head of time.

Scan result of Farbar Recovery Scan Tool Version: 10-06-2012 03
Ran by User at 10-06-2012 21:16:26
Running from C:\Users\User\Desktop
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()
HKLM\...\InprocServer32: [Default] ATTENTION! ====> ZeroAccess?

==================== Services (Whitelisted) ======
========================== Drivers (Whitelisted) =============
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============

2012-06-10 21:08 - 2012-06-10 21:08 - 00001084 ____A C:\Users\Public�... Read more

Answer:win64/Sirefef.Y infection

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

38 more replies
Relevance 100.86%

Hi...
I seem to have picked up a tricky to remove Trojan in my travels ... i get a regular notification from Nod32
11/06/2012 02:48:31 Real-time file system protection file F:\Windows\Installer\{f9dedb38-b63c-7edb-4bbc-8af06e9f5677}\U\[email protected] Win64/Sirefef.AE trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: F:\Windows\System32\services.exe.
Unfortunately its a recurring problem and it has stopped windows firewall and the like from operating...

Contents of DDS.txt is as follows
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by P1 at 2:44:49 on 2012-06-11
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4094.2456 [GMT 1:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
F:\Windows\system32\wininit.exe
F:\Windows\system32\lsm.exe
F:\Windows\system32\svchost.exe -k DcomLaunch
F:\Windows\system32\nvvsvc.exe
F:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
F:\Windows\system32\svchost.exe -k RPCSS
F:\Windows\... Read more

Answer:infected with Win64/Sirefef.AE

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

16 more replies
Relevance 100.86%

Basically all started when a malware virus scanner was installed on my computer. Telling me I had a whole bunch of trojans/etc. I knew it was a virus so I downloaded a bunch of free virus scanners and got rid of some. However one of them would tell me I received a critical error and windows needed to restart. I downloaded Microsoft Security Essentials and it found this and quarantined these things. Again critical error and windows needed to restart. Now I had another problem.. my computer would start up and after 15 seconds it would critical error again and would want to restart. So after 10x I finally was able to open MSE and remove the quarantine on the items and uninstalled MSE from my computer.

Other things to note:
I can't turn on my Windows firewall.
If I mess with this thing I get a critical error and my computer restarts.

Any help would be amazing.. thanks =)

Screenshot: http://i.imgur.com/ziOXw.png

Answer:Trojan:Win64/Sirefef.W

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

17 more replies
Relevance 100.86%

Hiya,

I have been having some difficulty with the viruses named above. I do not know how I managed to get them, as I stay away from what I would consider harmful sites, and only really use Facebook/Google/Youtube/My Uni's Own Website

I keep running scans on Microsoft Security Essentials, which keep identifying these viruses (Sometimes as often as every 2/3 minutes). I keep trying to remove them, but they don't seem to go.

I'm running Windows 7

I found a similar topic on this forum, where someone suggested downloading Farbar Recovery Scan Tool, and running it in System Recovery, and then posting the FRST.txt file that was saved. I have done this, and this is the content of the file

---------

Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
Ran by SYSTEM at 07-08-2012 19:10:24
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1814312 2010-10-29] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2009-10-31] (Sun Microsystems, Inc.)
HKLM\...\Run: [SysTrayAp... Read more

Answer:Trojan:Win64/Sirefef.AB and Trojan:Win64/Sirefef.W

Hi Paradoxymoron,Welcome to the forum.We need a fresh log of the latest FRST.Please delete your copy of FRST and download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the not... Read more

17 more replies
Relevance 100.86%

My PC is infected by the sirefef.R and AH trojan. Thanks to you guys I have already found some information and already run the Farbar Recovery Scan.Below and also attached you will find the results from the scan and search.txt.Could you please tell me on how to proceed from here?Thanks,Bjorn1.) FRST.txtScan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012 01Ran by SYSTEM at 25-06-2012 01:44:23Running from J:\Windows 7 Home Premium (X86) OS Language: Dutch Standard The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [835584 2007-03-10] (Synaptics, Inc.)HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [620152 2006-10-22] (Adobe Systems Inc.)HKLM\...\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2012-01-21] (Adobe Systems Incorporated)HKLM\...\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-09-04] (CANON INC.)HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (... Read more

Answer:Nasty Win32/sirefef.R and Win32/sirefef.AH

Hi,Please run the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
SubSystems: [Windows] ==> ZeroAccess
HKLM\...\Run: [] [x]
HKLM\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
HKU\Bjorn\...\Run: [0i763f66bz] C:\Users\Bjorn\0i763f66bz.exe [42496 2012-06-23] (FaceVsion)
0 ece2981047436e29; C:\Windows\System32\Drivers\ece2981047436e29.sys [66488 2012-06-24] ()
2012-06-24 11:48 - 2012-06-24 11:48 - 00066488 ____A C:\Windows\System32\Drivers\ece2981047436e29.sys
2012-06-23 17:04 - 2012-06-23 17:04 - 00042496 ____A (FaceVsion) C:\Users\Bjorn\0i763f66bz.exe
2012-06-07 22:16 - 2012-06-24 22:32 - 00000000 ____D C:\Users\Bjorn\AppData\Local\831B70AA-4223-46DB-A9E4-D27C6CB4247D.aplzod
2012-05-15 16:33 - 2012-04-23 10:08 - 00000000 ____D C:\Users\Bjorn\AppData\Roaming\Belastingdienst
C:\Windows\Installer\{a4b8fb52-11e7-86e9-8511-b8c2b6b19ecb}
C:\Users\Bjorn\AppData\Local\{a4b8fb52-11e7-86e9-8511-b8c2b6b19ecb}
replace: C:\Windows\win... Read more

13 more replies
Relevance 100.86%

Microsoft essentials found the AH first and shortly after that the AC popped up also. It is a redirect trojan. Says it is cleared, and then comes back. running malaware now to see if it will clear it. thanks for your help again.

Answer:win32/sirefef.ac and win32/sirefef.ah please help clear it

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.====================================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwar... Read more

9 more replies
Relevance 100.04%

Hello. I am not sure what's going on with my laptop, but I'm quite certain that I might have virus/trojans or something. I have done full-scan with Malwarebytes Antimalware 1.70 but no malware detected. Significant and rather annoying computer problems include, unable to log in into one of my yahoo email (i.e. redirect to edit.yahoo.com and asking for code, and when I tried 2 of my other yahoo email, everything works normal without redirection or asking for code, etc), random characters showing up on my note pad file and sometimes on websites, google chrome and computer processing is considerably slow and sometimes I can't find the whole page on the websites, especially in Facebook, seems to be unable to load page properly and needs to be refreshed. Oh, and the one I find the most odd is when I can't even rename my own folder in my Document folder, that's very scary.

I have also read the thread forums from http://www.bleepingcomputer.com/forums/topic456344.html and http://www.bleepingcomputer.com/forums/topic464267.html

The forums above have similar symptoms like my laptop, which is why I suspect the Trojan:win64/sirefef.W. Please help me, I'm totally confused and I don't even know how I get this trojan. Any help would be appreciated. Thank you.

Answer:Possible infection with Trojan:win64/sirefef.W

to BleepingComputer.My name is Matthias and I'll help you with the cleanup of your computer.Please be aware of the following:Please complete all steps in the specified order.Even if tools don't find malware, I want you to post the logfiles anyway.Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.Don't install or uninstall software during the cleanup unless you are told to do so.If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.If you decide to clean your PC, work with us until a team member tells you that you are clean.As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.Step 1Please download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.pifDouble click on the DDS icon, allow it to run.Mark the option attach.txt.Click on Start.After the scan has finished, confirm the message with Ok.DDS will automatically open both logfiles.You can find them on your desktop as well.Please post the content of tho... Read more

27 more replies
Relevance 100.04%

Hello guys! Hope I can get some expert help on this nasty malware. Microsoft essensials continuously displays an error that the system needs to restart upon bootup and the laptop shuts itself down. It takes about 60 seconds so that doesn't leave much time to run any scans. Running in safemode does the same so that doesn't help.
By reading other threads, I've ran Farbar and have attached the FRST.txt here.

Any help would be greatly appreciated!!!

D12u
 

Answer:Trojan:Win64/Sirefef.Y - requesting for

Welcome to MajorGeeks, D12u

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
 

5 more replies
Relevance 100.04%

Anyone know how to get rid of this nasty Trojan WIN64 Sirefef-A it seems to have disabled Update and Windows Firewall & Security Centre. Managed to get Avast and Comodo Firewall on but rest don't work.

Answer:Trojan WIN64 Sirefef-A removal

Microsofts Malware Protection Center says that the antivirus definitions may be able to detect and prevent WIN64 Sirefef, but nothing is mentioned about its removal.

Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled. Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants.

See if you can do a system restore to a prior good point - or even restore the PC to factory condition. That may be the easiest option right now.
Or else, clean up your PC junk using the Disk Cleanup tool, and see if you can schedule a a full in-depth boot-time scan of your Avast. Maybe that will help.
Microsoft's Answer Desk is another option you may want to consider - but thats a paid option.

2 more replies
Relevance 100.04%

Hi Guys,

My friend brought a laptop with Live Security Platinum Virus. I was able to remove it and even got a few good clean scans back from Malwarebytes and Spybot, then, all of a sudden, MSE started detecting win64/sirefef.y and it would reboot the computer after 1 minute. It keeps cycling like that in Safe mode as well. MSE detects it, tried to remove it, then it reboots. I can't run any tests or scans or disable it. I tried to use system restore, but it reboots the computer before I can kick start it.

I saw people posting logs here and getting a custom script to fix the issue. Any help would be greatly appreciated. Here is my FRST log. Thank you very much!

Scan result of Farbar Recovery Scan Tool Version: 19-06-2012
Ran by user at 19-06-2012 14:54:23
Running from E:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-06-19 14:54 - 2012-06-19 14:54 - 00000000 ____D C:\FRST
2012-06-19 14:24 - 2012-06-19 14:24 - 00005520 ____A C:\Windows\WindowsUpdate.log
2012-06-19 13:42 - 2012-06-19 14:53 - 00001344 ____A C:\Windows\setupact.log
2012-06-19 13:42 - 2012-06-19 13:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-16 20:30 - 2012-06-17... Read more

Answer:win64/sirefef.y Trojan Virus

Hello shvidky and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please... Read more

13 more replies
Relevance 100.04%

My computer is infected with Win64: Sirefef-c. I have run Avast, Malwarebytes, and SuperAniySpyware. Nothing works. Here is my log: Thank You!!!.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.7600.16385Run by Michael at 14:58:09 on 2011-12-11Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2999.1120 [GMT -8:00].SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\Dell\DellDock\DockLogin.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\nvvsvc.exeC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files (x86)\Application Updater\ApplicationUpdater.exeC:\Program Files... Read more

Answer:Help, computer infected with Win64: Sirefef-c

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

13 more replies
Relevance 100.04%

Hello I'm trying to help remove the sirefef.y virus from a laptop. I have the attached files from FRST and the search. The laptop is running win7 64. Please let me know what other info you need. Thank you for your help
Jay
 

Answer:win64 sirefef.y removal request

Welcome to MajorGeeks, Jay

You did a bit of researching I see :-D

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally and remember to attach your Fixlog.txt

>>> Now continue with this procedure: How to Remove TrojanOS/Alureon.A <<<
 

11 more replies
Relevance 100.04%

Thank You to the Security Expert that can help remove this.

Microsoft Security Essensias told me I have Trojan:Win64/Sirefef.K

Spyware Doctor and Malware bytes Antimalware detected and removed entries from the following folder.

C:\users\%username%\appdata\local\1043a580\U
Removed 2 such entries, [email protected]
This is a Protected Windows Operating system folder

The files will come back eventually

Hitman pro could not find anything wrong.

I am attaching DDS but not GMER becuase system is 64 Bit

Answer:Infected with Trojan:Win64/Sirefef.K

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger:Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appea... Read more

16 more replies
Relevance 100.04%

Hi. My laptop has become infected with the win64/sirefef.ab virus/rootkit and now restarts itself every couple of minutes. Whilst MSE detects the infection, it is not able to remove it, and the firewall appears to have been disabled and I'm not able to reactivate. I've tried restarting in safe mode but problems persist. I would be grateful if you could provide some guidance on how to remove the infection. ThanksHi. I've looked at some of the other threads and saw the normal procedure is to run frst and post the log.FRST Log Scan result of Farbar Recovery Scan Tool Version: 14-07-2012Ran by SYSTEM at 14-07-2012 11:01:58Running from I:\Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [5962272 2009-11-30] (Realtek Semiconductor)HKLM\...\Run: [RtkOSD] C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2009-10-13] (Realtek Semiconductor Corp.)HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167704 2012-01-10] (Intel Corporation)HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392984 2012-01-10] (I... Read more

Answer:win64/sirefef.ab virus/rootkit

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt Replace: c::\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{73fc0583-7f48-eba1-578d-a5a377ed0c68}
C:\Users\JenJames\AppData\Local\{73fc0583-7f48-eba1-578d-a5a377ed0c68}NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options again.Select Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In ... Read more

14 more replies
Relevance 100.04%

Hi NOD32 keeps telling me I'm infected with:

C:\Windows\system32\services.exe is infected with Win64/Patched.B.Gen trojan
C:\Windows\assembly\GAC_32\Desktop.ini is infected with Win32/Sirefef.EZ trojan
C:\Windows\assembly\GAC_64\Desktop.ini is infected with Win64/Sirefef.AD trojan
Could someone help me out with cleaning my computer?

Thanks!

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Michael at 3:02:19 on 2012-07-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.3145 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe ... Read more

Answer:Win64/Patched.B.Gen and Sirefef Trojans

Attach.txt added.

14 more replies
Relevance 100.04%

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Malware Win64/Sirefef.AL Trojan

It worked. I have been asking which windows to scan (I have both xp and 7). I chose 7.

I have replaced my true name by "Administrator" in the log. If it matters, I will post the original.

Here is FRST.txt :
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 17-08-2012 13:35:16
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Welcome Center] C:\Windows\system32\rundll32.exe C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut [898560 2010-11-20] (Microsoft Corporation)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [1923640 2009-10-07] (ESET)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Pro... Read more

14 more replies
Relevance 100.04%

Hi I am new to this forum and was hoping you could help me remove trojan:win64/sirefef.P and trojan:win32/sirefef.AB I keep getting different ways to remove it and I?m lost. I ran Malware bytes, WES, and TDSSkiller. And none of them worked.

Thank You
 

Answer:Please Help Remove trojan:win64/sirefef.P

What operating system?
 

3 more replies