Computer Support Forum

Sirefef (one minute reboot)

Question: Sirefef (one minute reboot)

Hi! Had good results with this forum; back again!Working on my nephew's computer, I noticed Google searches were being redirected. Microsoft didn't catch the initial problem so I ran Malwarebytes and Eset Online scanner which found and clean some problems. Rebooted. Microsoft Security Essentials found Sirefef trojan, cleaned and rebooted. Now every I boot the computer it says it will "restart automatically in one minute" (both safe and normal mode)OS is VistaAV is MSEAdvanced Boot options does NOT give me "Repair you computer" optionI do not have the Windows installation disk, although it might be possible to find with a lot of hunting.Please help!(As an aside, the reason I went to my nephew's computer was to check on the router... On my laptop my Symantec Endpoint Protection was giving me popups that it a "port scan attack is logged" coming from the router. Since it was being blocked I figured I would use the other computer to view router's admin page.)

Relevance 100%
Preferred Solution: Sirefef (one minute reboot)

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Sirefef (one minute reboot)

Update:
I booted to safe mode and brought up the task manager with a CTRL-ALT-DEL at the first opportunity. I used the processes tab to locate the MSI process and ended it. This allowed me to run DDS and GMER to get the following logs.

Awaiting help,
Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by COREY at 20:04:59 on 2012-08-12
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2047.1652 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Google Update] "c:\users\corey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Creative Mouse Software] c:\program files\creative\shared files\cids\CTStray.exe
mRun: [Creative Keyboard Software] c:\program files\creative\shared files\cids\CTStray.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\corey\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{018001D7-5C04-4AA8-AC7C-829907BD9C2A} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2FE5EDC9-08BC-4664-AA09-2558F440CA37} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist remote support customer\428\g2ax_winlogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\corey\appdata\roaming\mozilla\firefox\profiles\plnplmne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - FreeMake Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3214568&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\corey\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\corey\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\corey\appdata\roaming\mozilla\firefox\profiles\plnplmne.default\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Coupon Companion: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Yontoo: [email protected] - %profile%\extensions\[email protected]
FF - Ext: FreeMake : {adca5064-9e30-43fe-9856-58b07a3149fe} - %profile%\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 6ecae33c-e29e-4af3-815b-c7233b2d1e0a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
============= SERVICES / DRIVERS ===============
.
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-14 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\citrix\gotoassist remote support customer\428\g2ax_service.exe [2012-7-30 609720]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 250056]
S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-11-9 8913920]
S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-11-9 263680]
S3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\drivers\AVerBas.sys [2009-2-2 57216]
S3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\drivers\AVerCap.sys [2009-2-2 366976]
S3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\drivers\AVerTun.sys [2009-2-2 165248]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-7-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\program files\msi\live update 5\msibios32_100507.sys [2012-2-24 25912]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files\msi\live update 5\NTIOLib.sys [2012-2-24 7680]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-7-8 541800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2012-08-12 21:28:12 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ab35551c-e78f-4373-bf9e-a345b5789972}\offreg.dll
2012-08-12 21:27:42 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{cc02cd41-d2a2-459e-854d-9c34a4bb364c}\gapaengine.dll
2012-08-12 21:27:29 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ab35551c-e78f-4373-bf9e-a345b5789972}\mpengine.dll
2012-08-12 21:24:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-12 16:35:37 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-09 01:33:37 -------- d-----w- c:\users\corey\appdata\roaming\Origin
2012-08-09 01:33:37 -------- d-----w- c:\program files\Origin Games
2012-08-09 01:29:40 -------- d-----w- c:\users\corey\appdata\local\Origin
2012-08-09 01:28:19 -------- d-----w- c:\programdata\Origin
2012-08-09 01:28:10 -------- d-----w- c:\program files\Origin
2012-08-08 00:19:22 -------- d-----w- c:\program files\Belkin
2012-08-08 00:18:52 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2012-08-04 19:31:44 -------- d-----w- c:\program files\GetFLV
2012-08-04 19:09:26 -------- d-----w- c:\users\corey\appdata\local\Coupon Companion
2012-08-04 19:09:23 -------- d-----w- c:\program files\Coupon Companion
2012-08-04 19:08:30 -------- d-----w- c:\program files\Yontoo
2012-08-04 19:08:28 -------- d-----w- c:\programdata\Tarma Installer
2012-08-04 18:51:08 -------- d-----w- c:\program files\Hulu Downloader
2012-07-30 16:47:37 197560 ----a-w- c:\windows\system32\g2ax_credential_provider_428.dll
2012-07-25 19:02:39 -------- d-----w- c:\program files\Conduit
2012-07-25 19:02:33 -------- d-----w- c:\users\corey\appdata\local\Conduit
2012-07-24 02:44:11 -------- d-----w- C:\game of thrones
2012-07-21 07:11:41 -------- d-----w- c:\windows\en
2012-07-21 07:10:18 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2012-07-21 07:05:56 19736 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-07-21 07:00:54 89944 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\DSETUP.dll
2012-07-21 07:00:54 537432 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\DXSETUP.exe
2012-07-21 07:00:54 1801048 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\dsetup32.dll
2012-07-21 06:59:44 -------- d-----w- c:\users\corey\appdata\local\{D338EE31-B5CB-4F95-B72A-88791B075104}
2012-07-21 06:59:34 -------- d-----w- c:\users\corey\appdata\local\{D39CB2AE-DC38-4401-8665-12DE8B00E49A}
.
==================== Find3M ====================
.
2012-08-13 00:20:40 279552 ----a-w- c:\windows\system32\services.exe
2012-08-03 05:39:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 05:39:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-11 18:17:42 65536 ----a-w- c:\windows\system32\frapsvid.dll
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 20:08:16.33 ===============

33 more replies
Relevance 88.15%

Got another one for you... Can't stay logged into windows because of a critical error, and rebooting 1 minute later.Here is my frst.txt content...Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01Ran by SYSTEM at 27-07-2012 20:21:28Running from I:\Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16333856 2009-07-14] (NVIDIA Corporation)HKLM\...\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui [190472 2009-09-16] (Logitech Inc.)HKLM\...\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKAiO2MUI.exe [3240448 2011-12-10] (Eastman Kodak Company)HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)HKLM-x32\...\Run: [ABNotify] C:\Program Fi... Read more

Answer:Another Sirefef Infection/1 minute reboot

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
1 evrhwdch; \??\C:\Windows\system32\drivers\evrhwdch.sys [x]
2012-07-27 17:17 - 2012-07-27 17:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2243DA0DB5B173E7
2012-07-27 17:17 - 2012-07-27 17:17 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\wwogfass.sys
2012-07-27 15:35 - 2012-07-27 15:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2BADF4F3E3ADF4FB
2012-07-27 15:20 - 2012-07-27 15:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3BADF02DBC08DE8D
2012-07-23 11:00 - 2012-07-23 11:00 - 00311296 ____A C:\Users\Courtney_2\AppData\Local\plogolc.exe
C:\Windows\Installer\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
C:\Users\Courtney_2\AppData\Local\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
... Read more

13 more replies
Relevance 88.15%

I am having the same trouble as many others. Can't do anything cause computer restarts every minute. Here are my FRST logs. Thank you in advance for the help.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 13:18:19
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [174104 2009-09-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [151064 2009-09-08] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-16] (Realtek Semiconductor)
HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...&#... Read more

Answer:Sirefef Infection/1 minute reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

5 more replies
Relevance 87.33%

Hello,

I have a Windows 7 Home Premium 64-bit laptop which is infected with the Win32/sirefef.ah trojan. As soon as the Microsoft Security Essentials launces it causes the system to give this error: WINDOWS HAS ENCOUNTERED A CRITICAL PROBLEM AND WILL RESTART AUTOMATICALLY IN ONE MINUTE and then reboots. This happens a regular boot and in safe mode. MSE cannot be uninstalled either. I've read other threads and would like to know when program needs to be run first so i may supply the log files. Your help is apprecaited.

thank you,
-kA

Answer:win32/sirefef.ah trojan (causes one minute reboot)

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

4 more replies
Relevance 83.64%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 82%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 75.85%

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

Answer:Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

22 more replies
Relevance 73.39%

Problem started as Live Platinum fake anti-virus. I thought I successfully removed this with MBAM, etc. But shortly thereafter MSE alerted that it detected Sirefef.R & Sirefef.AH. Now everytime I reboot I get a message the Windows has encountered a critical problem and the computer shuts down after 1 minute. I followed the steps on the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, but I am not able to run DDS or GMER scans because the system reboots before they finish. I am stuck!
OS is Windows 7, 32-bit.
Thanks in advance.

Answer:Sirefef.R, Sirefef.AH, computer shuts down after 1 minute

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

23 more replies
Relevance 70.93%

Last night, I noticed MSE was not running and I could not update or run a scan. I uninstalled and reinstalled MSE. It scanned and detected Sirefef.R and Sirefef.AH and a message appeared that the computer would shutdown in one minute. The same thing happens in safe mode.

I am unable to run READ AND RUN ME FIRST because of the shutdowns (sending this from another computer).

I ran FRST.exe and have attached the file.

Thanks
 

Answer:Sirefef.R & Sirefef.AH - roboots after 1 minute

Please do the below as we need to locate a backup file to replace an infected one.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
 

18 more replies
Relevance 68.06%

A few days ago, I got the Sirefef.AB and Sirefef.W virus on my computer. I had no idea the severity of my problem until after I reinstalled MSE which has now caused my computer to constantly restart. I have used Farbar to create a FRST.txt and Server.txt file, though I do not know if that will help on this site in the removal of this blasted virus, and I will wait to post it until I have been instructed if I should do so. I really am at a loss here. I am not that great with computers, and could really use some help.

Edit: Added note, for the short while before I reinstalled MSE, I was having redirection problems when clicking on Google links. It also restarts in Safe Mode.

Answer:Sirefef.AB and Sirefef.W for Windows 7 Infected Computer with Constant Reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 64.37%

Hello, this is my first time in this forum. My first indication of a problem with my computer was that MSE was not started, and would not start when I attempted to do so. I uninstalled MSE, and then reinstalled it. During the quick scan it attempted during the installation, it let me know it found the serious threat of Sirefef.AH. I told it to remove the problem and it began to do so, but before it was done, a windows message popped up: "Windows has encountered a critical problem and will restart in automatically in one minute. Please save your work." I then have approximately 60 seconds to do anything before the computer reboot itself. Now, it is giving me this error and reboot every time I restart the computer. It does this even in safe mode. I did manage to download the TDSSKILLER .zip file to my phone, then copied the file to the infected computer, extracted it, got it installed and started the scan before the computer rebooted itself.

I have searched through this forum for help but I can seem to find anyone else with the problem of having only a 60 second window to fix this malware issue.

I am running Windows 7 on a 32-bit system. Thank you in advance for your help!!

Answer:Sirefef.AH with automatic reboots after 1 minute

Lets give it a try. You will need a USB Flash drive.For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Click on Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

27 more replies
Relevance 64.37%

Hi, im new to this forum. I think I have the exact same problem as in this post:
http://www.bleepingcomputer.com/forums/topic455881.html

But I thought it would be better to post a new topic, correct me if im wrong.

My computer boot, and after a few seconds it says that it found a potential risk "Sirefef", and after 1 minute it reboots.
Any help is appreciated!

Attached you find scan results from Farbar Recovery Tool.

Answer:Sirefef with automatic reboots after 1 minute

This post can ble closed, I think I solved the problem by doing the same steps as in the duplicate post.

2 more replies
Relevance 63.55%

Hi, folks. I'm from Brazil and I had the same problem as kesposito. I was searching for a solution on the web and I found this site and read this topic.I noticed there was a successful, but complex and long procedure which I coudn't follow, and the instructions were given to that specific case, so I decided to join BleepingComputer and create this topic. I'd like to receive instructions to have a removal of the virus (sirefef.AH).Just a question: I'm using my desktop computer to write this post; the infected computer is a laptop. Master Surgeon General said that a USB Flash drive would be needed. Mine was connected to the laptop after it was infected. Is it OK if I use that flash drive?Thank you in advance for help.

Answer:Sirefef.AH with automatic reboots after 1 minute (part 2)

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

63 more replies
Relevance 62.73%

Why didn't I come here first? That's what I keep asking. In any event, here's my situation. Several weeks ago, I had something pop up identified as "Live Security Platinum". Knowing it was a virus, I was able to run Malwarebytes and it seemed to get rid of it. Then the computer got caught in this endless loop of the message popping up with "Windows has encountered a critical problem & will restart automatically in one minute. Please save your work now". Sure enough, it cycles and continuously reboots.

MSE always pops up as trying to clean the infection showing as Trojan:Win32/Sirefef.AH
Details show file:C:\Windows\system32\services.exe-> and container file C:\Windows\system32\services.exe

Looking for advice elsewhere, I ran Kapersky Rescue Disk and it seemed to get rid of a few things as well, but the loop remains. I have tried safe mode and unplugging network/internet cable, all to no avail. I then found your site and, I again say why didn't I come here first?!?

I have reviewed many of the logs for similar problems as well as the prep guide and so forth. Here is what I have to report. I tried to turn off windows firewall and it initially came back with the message "Due to an unidentified problem, windows cannot display Windows Firewall Settings." After messing around trying to do some other things, it now says "The Windows Firewall service is not running."... Read more

Answer:One Minute Critical Problem, Sirefef Virus, Vista SP2

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
HKLM\...\Run: [] [x]
C:\Windows\Installer\{b073be15-c1cf-2181-9e6c-84bd04262a1f}
C:\Users\Phil\AppData\Local\{b073be15-c1cf-2181-9e6c-84bd04262a1f}
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboF... Read more

14 more replies
Relevance 62.73%

I was using my grandmother's computer tonight and somehow infected by Live Security Platinum. I used Malwarebytes to remove it by following the directions here.It appeared to work, but after restarting my computer, I keep getting the error, "Windows has encountered a critical problem and will restart automatically in one minute." I open up Microsoft Security Essentials to see what is causing the problem, and the two programs "Win64/Sirefef.Y" and "Win64/Sirefef.B" are labeled as dangerous. MSE cannot scan the computer quickly enough to remove those programs before the computer is restarted. Details provided by MSE shows that "file:C:\Windows\system32\services"I have seen other questions about this problem, but I wasn't able to find anything for Vista, only Windows 7. The solution also appears very specific in each case, with much pasting of results, so I didn't want to mess up my grandmother's computer by following directions that were not exactly correct. I have another computer and USB drive available. Thanks in advance for the help!

Answer:Windows Vista will restart automatically in one minute, and I have sirefef

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 62.32%

Hi, Last night I was browsing the internet and attempted to download something from a website that seemed legitimate, but when I went to scan the file with MSE, I was shocked to find that MSE was turned off, and I could not get it to work again.
I forget the exact error displayed, but I immediately disconnected the internet, uninstalled MSE, and then re-installed, reconnected to the net, updated MSE and was immediately confronted with a security warning that my system was infected with "Sirefef.Y".

MSE tried to clean the infection, but before it could complete the process, I recieved a Windows Critical error, stating that my system has encountered a problem and will automatically restart in 60 seconds, which it did.
This is a cycle that continues to occur, and pretty much immediately after boot, which gives me very little time to do anything about the problem.
Please help!

I am running Windows 7 Home Premium 64bit.

I have tried starting the computer in safe mode but get the same problem - each time I receive the Windows error and the system reboots
Any help you could provide would be appreciated a great deal.

Thanks in advance.

RK.

Answer:Sirefef infection - Computer restarts in 1 minute everytime I boot it

download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst6... Read more

8 more replies
Relevance 62.32%

Hello everyone, this is a repost of a thread from a few years ago.

Through various Google searches involving my problem, this appears to be the best forum to post on, so here I go. I am running Windows 7 x64 and will outline the following:

1) I noted that I began getting various browser redirects from sites when searching through Google (I have not checked if this was elsewhere). The browser would redirect me to websites such as newsfudge.com.
2) From this point I decided to attempt to run some scans. I had Microsoft Security Essentials installed however noted that it claims the service isn't running. When attempting to enable the service, it stated the service was not installed.
- This was rectified. I uninstalled and reinstalled the application successfully.
3) Upon attempting to run both Malwarebytes and MSE (Security Essentials from here on out), I would reboot into the computer and began to notice that I would get a dialogue box that would explain my computer is about to be logged off because of a critical error.
- Attempting to restore "Last known good configuration" did not resolve this.
- The same dialogue box pops up when I try to restart in Safe Mode, I am currently posting this from my work computer.
- I haven't been able to find a specific error within the System Logs so if there should be one stated please tell me what to look for.
- I believe this occurs when MSE detects several infections, which appear to be different variants of sirefef.
-... Read more

Answer:Windows 7: Reboots after 1 minute, browser redirects, sirefef variants

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 62.32%

Hello all, Through various Google searches involving my problem, this appears to be the best forum to post on, so here I go. I am running Windows 7 x64 and will outline the following:1) I noted that I began getting various browser redirects from sites when searching through Google (I have not checked if this was elsewhere). The browser would redirect me to websites such as newsfudge.com.2) From this point I decided to attempt to run some scans. I had Microsoft Security Essentials installed however noted that it claims the service isn't running. When attempting to enable the service, it stated the service was not installed.- This was rectified. I uninstalled and reinstalled the application successfully.3) Upon attempting to run both Malwarebytes and MSE (Security Essentials from here on out), I would reboot into the computer and began to notice that I would get a dialogue box that would explain my computer is about to be logged off because of a critical error.- Attempting to restore "Last known good configuration" did not resolve this.- This does not occur while in Safe Mode, which is where I am posting this topic.- I haven't been able to find a specific error within the System Logs so if there should be one stated please tell me what to look for.- I believe this occurs when MSE detects several infections, which appear to be different variants of sirefef.-- The last two variants of sirefef detected by MSE are: Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.... Read more

Answer:Windows 7: Reboots after 1 minute, browser redirects, sirefef variants

Hi,Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64... Read more

30 more replies
Relevance 61.5%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm. Please ins... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 61.5%

This is my first post. Thanks in advance for any help you can provide!

The Microsoft Security Essentials icon in the tray turned red, as if the service was turned off. I was having trouble getting it turned back on, so I went to the control panel and uninstalled the service. I downloaded a new copy from the Microsoft website and reinstalled.

Soon after installing, I got a message saying that threats had been cleaned off the computer and then another saying that 2 threats had been quarantined. The threats quarantined were:

Virus:win32/sirefef.R and Trojan:win32/sirefef.AH

As this threat message pops up, I then get a window open telling me that Windows has encountered a critical error and will shut down in one minute.

It restarts, stays on for about 90 seconds, but then shutdowns again with the same message about detecting sirefef.R and .AH

Here are the logs:

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 11-08-2012 01:07:48
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 64bit

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

16 more replies
Relevance 61.5%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm did. Please... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter Note: Replace letter e with... Read more

13 more replies
Relevance 57.81%

Specs: P4 2.6 Invidia FX 5200Ultra 512 Mbs PC 3200 on XP Home SP2
AV-Avast Home (uninstalled upgraded to latest version)
Firewall-Sygate Pro (uninstalled upgraded to latest version)
Inernet Connection-External USB ADSL modem (PPoE) @3Mbps

Problem 1: XP Home reboots in the 3+ minute range. Once it gets to the 'Starting Windows XP' screen, it loads fine. Some damnthing is hanging.

Problem 2: MY comp is running slow. Expeciially on the net. Task manager is reporting no excess network use. IE 6 acts like it's on a 56k modem. I use Mozilla FireFox, which runs fine, but my wife is a IE 6 fanatic. Shareaza and WinMX load slowly and take a minute or more to change tabs. BitTornado (latest versions all) loads and runs fine, but seems to hang after an hour or so. It stops updating speeds, seeds, peers, etc. It also closes slowly. Once I get online, the comp slams on the brakes. Mozilla is the only app that seems unaffected. Sygate is also logging a lot of portscans. 7 in the in the last hour or so. All from the same IP address. I've tried a reboot to get a new IP adress, but the port scans start up agan after about an hour, last about an hour then stop. So far I've resisted the urge to backrace since it'll only egg the @$$hole on.....though if anyone has an ICBM I could use..........

NOTE I read the rules and I'm not asking for help with my P2P apps. Just mentioning them since they are affected. I installed the other ones since BT was acting flakey... Read more

Answer:XP 3+ minute reboot.

12 more replies
Relevance 56.99%

XP pro freezes in one to three minutes after I reboot with no applications running. Num Lock light will go off and on with toggle.  Hard drive light is active for a couple of minutes but then goes to a steady blink-the cursor will not activate anything and eventually I get an hourglass that never goes away until I reboot.Does not freeze in Safe ModeI have defragged and run memtest--OKWas able to nurse it through Norton update and a current scan--found no viruses. Once I got the virus scan going it did a complete scan-5-10 minutes and did not freeze??BOXX computer with  Dual XEON 3.06 with 4 GB ram (ram from BOXX) Nvidia Quadro FX 1000 128MB graphics card with 2 73GB 10000 rpm scsi drives XP Pro.The unit is under warranty, and the manufacturer is sending me 2 new drives (one with new OS installed).  However, I somehow do not believe the drives are the problem and I may lose all of my programs and data for nothing.Suggestions greatly appreciated. Roger

Answer:XP freezes about one minute after reboot

I would think it would of been a virus.Your computer should be very fast with those specs.Try another virus scan like the trend micro house call.Norton is no good it never finds anything that's why i got rid of it a year ago. R0SS

1 more replies
Relevance 56.99%

Help, my computer automatiquely reboot after 1 minute.
MSSE say sirefef infection

here the FRST.TXT file.

Thanks

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by W7 at 23-07-2012 09:11:53
Running from C:\
Service Pack 1 (X86) OS Language: French Standard
Attention: Could not load system hive.Erreur?: Le processus ne peut pas acc?der au fichier car ce fichier est utilis? par un autre processus.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-07-23 09:35 - 2012-07-23 09:11 - 00000000 ____D C:\FRST
2012-07-23 09:12 - 2012-07-23 09:12 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\yyhuknpj.sys
2012-07-23 09:08 - 2012-07-23 09:08 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\guwslplh.sys
2012-07-23 08:24 - 2012-07-23 08:24 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2012-07-23 08:19 - 2012-07-23 08:36 - 00000000 ____D C:\Windows\erdnt
2012-07-22 23:32 - 2012-07-22 23:32 - 00892164 ____A (Farbar) C:\FRST.exe
2012-07-22 23:05 - 2012-07-23 08:36 - 00000000 ___SD C:\32788R22FWJFW
2012-07-22 23:03 - 2012-07-23 08:36 - 00000000 ____D C:\Qoobox
2012-07-22 23:02 - 2012-07-22 23:02 - 04582474 ____R (Swearware) C:\Users\W7\Desktop\z.exe
2012-07-22 21:22 ... Read more

Answer:HELP Sirefef reboot

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.FRST needs to be run from the Recovery environmentplease follow these directionsdownload Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer... Read more

2 more replies
Relevance 56.99%

Windows Vista 32 bit on a dell computer, we got this nasty virus that kept telling us that windows will restart in 60 seconds, making it very hard to stop.

we rebooted in safe mode and even in safe made it still rebooted after a short time with networking or without. Even the command line safe mode got this message, and no amount of shutdown -a would stop it.

By perusing your excellent forums, we were able to restore to a sysstem snapshot from the top thing in safe mode F8 and get rid of the reboot, and we got some files off with malware bytes, but then the virus attacked and disabled malware bytes.

Because we think this may be a java exploit, we killed all the jre, and the computer runs ok, but we would really like to clean it up.

Attached are dds logs and gmer logs.

Answer:sirefef ac ag reboot

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed.How to : Disable Anti-virus and Firewall...http://www.bleepingcomputer.com/forums/topic114351.htmlDouble click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt Note:Do not mouse click ComboFix's window while it's running. That may cause it to stallNote: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.htmlNote: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.===Third party programs if not up to date can be the ca... Read more

5 more replies
Relevance 56.99%

Before anything, thank you for your help.

I have a net-book that is infected with variants of sirefef as reported by MSE. Upon power-up, the computer loads, and reboots in a loop every 60 seconds or so. When I log in, I can get very little done (as in running utilities) before the system has a critical error and reboots.

I tried to complete the README. Installed ccleaner. (system rebooted) Ran CCLeaner, system rebooted before the scan could complete.

Downloaded (RougeKiller, Malwarebytes, Hitman Pro, and MG tools) from a working computer, moved to usb drive, copied to correct locations on infected pc. (working between reboots)

Ran RougeKiller: System rebooted during scan, no log.
Ran MalwareBytes: System rebooted during scan, just after I was able to get scan to start, no log.
Ran HitMan Pro: System rebooted during scan, no log.

Ran MGtools: this is the only one that produced a log. I don't know if the program finished, the cmd window did not close and did not have a "completed" message when the computer rebooted. (I did make the mistake of running this twice (after a reboot), contrary to the instructions. I have included both logs as a precaution. Log Attached

Thank you again for your help,
Greg
 

Answer:sirefef and 60 second reboot

As soon as you boot into windows, open a command prompt and type in:
shutdown /a

Now see if you can run the scans.
 

11 more replies
Relevance 56.17%

I have a several month old Dell Dimension 4600 running WinXP Home, with dual monitors, which runs great, I'm happy. If I have to reboot for some reason, everything shuts down fine, but system shows the F2/ F12 screen briefly, then goes to black screen with the underline cursor
for 5 minutes! After 5 minutes, the HD kicks in, XP loads normally and everything runs fine. Scanning through the various BIOS setup items, Fast Boot is on, system is set to boot from C: first, then CD; and there dont seem to be any "weird" or obviously wrong settings of any kind. Any suggestions?
I have also run msconfig and gone though turning off start up programs, etc. but once loading XP begins, everything runs fine, just takes 5 minutes to start...
 

Answer:5 minute reboot - BIOS issue?

8 more replies
Relevance 56.17%

I recently downloaded the Sims 3 Pets from Origin. Think it's possibly not a coincidence that when I searched through the similar topics for the virus that people had the Sims 3 in their files. I checked the file location for something MalwareBytes picked up and it was created the day I downloaded this game. I can't seem to get rid of this virus. Microsoft Security Essentials, Windows Firewall and Windows Update will not turn on. When I scan with M Security Essentials and with M Security Scanner it gets to a certain point and then comes up saying there is a critical error and the laptop will restart in one minute. What can I do to get rid of this virus? I've uninstalled M Security Essentials now and have installed MalwareBytes. My details are:

64 Bit Operating System
Dell Inspiron N7010
Windows 7 Home Premium

The same restarting seems to happen on MalwareBytes. It's got to the same file on a quick scan three times:

C:\Windows\Installer\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\U

There are three files inside:

[email protected]
[email protected]
[email protected]

Once it's identified it, it says it urgently needs to restart.

Microsoft Security Essentials identified it as Win64/Sirefef.B

From MalwareBytes:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Bethany :: BETHANY-PC [administrator]

Protection: Disabled

11/08/2012 19:46:55
... Read more

Answer:Win64/Sirefef.B - MSE, Windows Firewall, Windows Update will not turn on - Restarts every minute when attempt to use M Security...

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

29 more replies
Relevance 56.17%

Hi all, i'm new to the community here so that's my first post unfortunatelly. Well the problem started with windows firewall being disabled and i was getting and error. So i decided to install mse when the reboots started... Is there a "fast" solution? my system is w7 x64 and i have bitdefender security center..

Any help you could provide would be appreciated a great deal.

Thanks in advance.

Apostolis

Answer:Sirefef.y infection and reboot every 60 sec

Doing a little research i found what has to be done with Farbar so i did that and i will post the log file.

Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04
Ran by SYSTEM at 18-06-2012 13:50:46
Running from G:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [BDAgent] "C:\Program Files\Bitdefender\Bitdefender 2012\bdagent.exe" [1067256 2012-04-01] (Bitdefender)
HKLM\...\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [310272 2010-07-29] (Saitek)
HKLM\...\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [158208 2010-07-29] (Saitek)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [WindowsLiveDeviceIntegrator] C:\Program Files (x86)\Windows Live\Device Integrator\wldi.e... Read more

14 more replies
Relevance 55.76%

I have been beating my head against the wall with this one.
Just got a Gateway E-9520T for a customer. We spent the last week configuring it, installing updates, etc--but it's pretty much vanilla Windows Server 2003 R2 32-bit with exchange 2003. We haven't installed any of their customer applications yet.

During the setup and testing we did everything from leaving it on at night, to shutting down over night, rebooting, etc...

A few days ago it suddenly started taking around 30 minutes to boot and 30 minutes to shutdown.

During the startup/shutdown the RAID array is going crazy. Tons of file access.
When starting up it performs POST correctly, starts booting Windows (2003 Server Logo, with the little scroll thing at the bottom), and then the screen flashes like it's about to switch to graphical mode. But it hangs there with a blank screen for 30ish minutes.

The morning this started we hadn't installed any new drivers, updates, applications, or anything. Just fired the box up.

Gateway thought it might have been the MegaRAID card, so they sent a new one. No change. MegaRAID says their latest firmware fixes an issue that sounds like this problem. Updated the MegaRAID firmware, and it's still taking forever to boot.

What I've done:
Waited forever for the system to come up, rollback driver updates for the RAID card. (no effect)
Booted off Gateway's recovery CD (at their request) and used it to reinstall the factory default drivers. (no effec... Read more

More replies
Relevance 55.76%

Just this afternoon, I went to use my PC and got the following error; Windows has experienced a critical error and will restart in 1 minute.

Running Windows 7 64 bit....With automatic updates so it should be the latest version of Windows...

My anti virus (Avira 2012 Internet Suite) pops up and states I have 2 viruses. But before the AV can do anything (delete the files) Windows shuts down....I finally got into Safe Mode and tried running my AV, while it was scanning I then got a BSOD. Had to start all over again; Running MalwareBytes now before trying to do the AV scan, just to see if MalwareBytes catches anything.

I have uninstalled the only application I've installed in 3 months, and problem still persists...

I have a Hijackthis log if it needs to be viewed...Just let me know and I'll upload it.
 

Answer:Windows has a critical error and will reboot in 1 minute

when you get the 1 minute warning, try typing from the start menu "shutdown -a" or "shutdown /a", and the countdown should go away, and you should be able to remove the viruses.

Be sure to disable your system restore backups (delete them), or the viruses may come back. Re-enable them as soon as you are sure you have gotten rid of the viruses.
 

1 more replies
Relevance 55.76%

my l 50 works great on average for 25 to 30 minutes and cuts all alone, I turn it on again and it re works between 25 to 30 minutes all the time if I'm careful I can restart it before cutting the 25 minutes as many times that I want it and it works normally could you help me? thank you.

More replies
Relevance 55.76%

I have a lenovo ideapady400 that is now almost 2 months old. Earlier today, I noticed that it did not properly go into hibernate when I shut it. The keyboard was still lit up, with no LCD display (including not if I hit Fn+F2) and with the fan at high rpms. I shut it down by holding the powerbutton, and upon rebooting it, it took over 4 minutes to get back to the desktop. It now requires the 4 minutes every time I restart, and it never goes into hibernate with the lid closed (it must be shut down by the power button).Fearing that the computer may be having a serious issue, I tried to make a backup with Onekey recovery, which failed to write a backup (repeatedly). It returned an error saying it couldn't access the partition. I then uninstalled onekey recovery, downloaded it again from the lenovo website. Now when I run onekey recovery it says my system is not able to write a backup.I am now stuck in a tough spot of not being able to backup my laptop and and not being able to do a recovery without losing everything. On the lenovo support site, when I select startup issues, the feedback it gives me is "Thank you for your question. This is a known problem and a solution is being developed. Please check back for updates."Anyone have any ideas what could be causing the main (shutdown/startup) issue?As the laptop is under warranty, should I just send it back to Lenovo?

Answer:ideapad y400 won't shutdown/4 minute reboot

hi hansweeks,
 
If you PC came with a HDD+SSD drive, try to boot into the BIOS (by repeatedly pressing F2 on startup) and check if both the HDD and SSD are detected (if you're missing one, that HDD might be faulty and needs to be replaced.
 
If both HDD's are detected (or if your PC came with only a SATA HDD) try to run an HDD diagnostic. Try HD Tune to run HDD error checking in WIndows or create a bottable HDD diagnostic (see steps below).
  
1. Download the the UBCD ISO
2. Burn the ISO using imgburn
3. Insert the CD that you just created into the defective computer and reboot
4. Upon reboot, continuously press F12 and boot from the ODD/CD-DVD
 
To burn the diagnostic software on a flashdrive, follow this guide
 
Note:
If you find any errors, you will need send the unit to Lenovo for service. Support phone list here.
 
For data backup, you can copy / paste your files on a USB flashdrive / hard drive or use this software to clone your hard drive. 
 
 
Hope this helps 

3 more replies
Relevance 55.76%

OS - Windows 7 32-bitI have obtained the Sirefef trojan on my laptop and would like assistance in getting rid of it.My situation is very similar to the one found in this topic.I am afraid to use the Internet on my infected laptop, so I hope to use a USB flash drive to solve the problem (as in the above topic).Let's tackle this problem together! You guys are great at what you do, and I admire your expertise. I'm ready to follow your lead!Thanks,Stratego

Answer:Sirefef Trojan ||| Reboot Loop

I do not have access to the System Recovery Options because I have misplaced my Windows 7 installation disc.

However, I still managed to use Farbar Recovery Scan Tool, although it was not in a recovery environment.
I think I should be okay.

The following is my FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by Zack at 15-08-2012 16:40:14
Running from F:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-08-15 16:31 - 2012-08-15 16:40 - 00000000 ____D C:\FRST
2012-08-15 14:31 - 2012-08-15 16:04 - 00000914 ____A C:\Windows\PFRO.log
2012-08-15 14:14 - 2012-08-15 14:14 - 00000000 ____D C:\Users\All Users\ESET
2012-08-15 14:08 - 2012-08-15 14:14 - 00000000 ____D C:\Program Files\ESET
2012-08-15 03:06 - 2012-08-15 16:37 - 00001512 ____A C:\Windows\setupact.log
2012-08-15 03:06 - 2012-08-15 03:06 - 00000000 ____A C:\Windows\setuperr.log
2012-08-14 21:18 - 2012-08-14 21:18 - 00000000 ____D C:\Windows\System32\%APPDATA%
2012-08-09 18:10 - 2012-08-09 18:10 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-07 23:20 ... Read more

9 more replies
Relevance 54.94%

Hi All,I am having the problem as per the title and cannot seem to remove the sirefef trojan in time before it reboots.I have run a FRST64.exe in system repair and this is the outcome:Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04Ran by SYSTEM at 19-06-2012 21:50:20Running from E:\Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-30] (Intel Corporation)HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint&... Read more

Answer:Win7 Reboot after 1 minute, security centre not working

Good evening. Will you fire up FRST64 again but this time I want you to run a search for a file. Paste the following into the Search: textbox and click the Search File(s) button: services.exeLet me have the log that will be found on the flashdrive, as before.

30 more replies
Relevance 54.94%

So ever since I upgraded to a GeForce GTX 460, I've been getting these ~1min long freezes every time my PC just finished loading Windows (either after a cold boot or reboot).

What could be causing this?

EDIT: This didn't happen to me with my old Radeon HD 5770.

Answer:Windows freezes for over ~1 minute after each cold boot/reboot

I would suspect a driver issue fist thing. Check here for the July 2010 version: Drivers - Download NVIDIA Drivers

2 more replies
Relevance 54.94%

came home to see windows telling me it needs to reboot due to a recent update. upon reboot I noticed it was sitting there at the animated windows logo prior to the logon screen. the numlock led on the keyboard was stuck so I reset the computer with no change. I then tried safe mode with also no luck. I reset once more and did some googling for quick solutions and about 5 minutes later the computer goes to the logon screen. this is repeatable. i ran a chkdsk /r /f with no change. im not quite sure what to check from here but something is definitely wrong when I go from a 10 second start time to 5 minutes. any ideas?

Answer:how to troubleshoot 5 minute bootup (prev 10s) after win update reboot

Hello and welcome Kevin mate if you can get safe mode which I am assuming of course do a system restore to as far back as you like and then it is just a matter of installing updates until one finds the offender and then you just hide it so it doesn't bother you again. (Right click on it and pick Hide)

If yo are not offered may restore points click on the box for further back ones see pic but I suspect you know about this option

1 more replies
Relevance 54.94%

Hi, I'm Kattie. My problem is with my Dell netbook (Inspiron Mini 1012 I think) with Windows 7 Starter.

Honestly, I have no idea where to begin. A few months ago, I contracted a pretty terrible virus that pretty much wiped out my netbook and entirely thwarted any of my attempts at fixing it. I don't remember how at this point, but before it became completely inaccessible, I somehow figured out that it was the sirefef virus. I got a mini-scan to bring up sirefef.exe or something similar, I really don't remember at this point. But the symptoms seem to match other reports, so unless I can figure out otherwise, I think it's safe to assume that sirefef was the beginning of the problem.

Now, when this first happened, I found other people's methods for posting logs and getting fixes, and that was my initial plan for repair, but I just generally ended up procrastinating it, and now, I have a completely different problem and have no idea how to even begin to solve it.

I'm really not sure when this happened or if it's even the result of the virus at all (though I assume it is), but my netbook is now stuck in the most irritating reboot loop that I can just not seem to get out of. I'm really not sure what details to mention here, so it'd probably just be better to ask me specific questions, but I'll explain as well as I can for now.

I was having a reboot problem when first infected, but it had a lag of 60-90 seconds, which meant I could ac... Read more

Answer:Continual Reboot After Virus (Possibly Sirefef?)

I'll report this topic to appropriate helpers.
Hold on....

86 more replies
Relevance 54.94%

Hi Everyone

I have a Lenovo Laptop running Windows 7 Pro x64
It is infected with Sirefef
I have used FRST64 to get the txt files
They will be posted below
Please help right the fixlist.txt

Regards
Michael Tiemann
The IT Bunch

Answer:Sirefef Virus Computer Reboot 60 Secs

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 30-07-2012 19:08:08
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-11-17] (Lenovo)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9753024 2011-11-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-11-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [170264 2012-02-14] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [398616 2012-02-14] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [440600 2012-02-14] (Intel Corporation)
HKLM\...\Run: [nseapc] "C:\Windows\System32\rundll32.exe" "C:\Users\Scott.AAS\AppData\Roaming\nseapc.dll",Resize ... Read more

3 more replies
Relevance 54.12%

I set my screen saver to 5 minutes. Hit apply, and OK. The settings take hold, but then when I reboot or shut down the machine and turn it back on, it resets to the original 1-minute mode. What gives?

More replies
Relevance 54.12%

Every time I shut down and restart my machine, the screen saver settings resort to the original 1-minute one and goes back to it every time after I've set it to 5-minutes, apply, hit OK and then get out. What gives?

More replies
Relevance 54.12%

The screen saver 5 minute setting reverts back to the original 1-minute setting every time the computer is shut down and restarted. What gives?

More replies
Relevance 53.71%

Hi,

I was hit by Live Security Platinum. I managed to uninstall it manually, but then my PC started rebooting after one minute. I solved that with Windows Defender Offline, and cleaned up Sirefef with Malwarebytes. Malwarebytes and MSE says that I'm clean, but I cannot start Windows Firewall or Windows Updates.

I got various error messages when trying to start WF, so I installed ZoneAlarm's firewall. WF is listed in Services, but when I try to start it, it says Windows could not start the Windows Firewall on Local Computer.(Edit: I followed the suggestions from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/5366225a-46e7-4d6c-a389-8bd18a5c3aad and it works now!)

When I try to run Windows Update it says that Windows could not search for new updates with a 80244018 error. But when I try to search from Microsoft Updates it finds 18 updates. However, when I try to install them, they all fail and it says Some updates were not installed with a 80246008 error. (Edit: I stopped the service and renamed Windows\SoftwareDistribution. I am now able to update from MS Updates, but not from sys admin.)

I'm running Win7-64. I'm in the process of moving, so I don't have my Win7 DVD, but I have the files on my backup drive, so maybe I can make a bootable DVD or USB.

I delete old restore points with CCcleaner, but always keep one. But now I don't see any, so maybe Sirefef delete that one, too?

Here is DDS.txt. I wasn't abl... Read more

Answer:Cleaned Sirefef and auto reboot, but can't start firewall and updates

Hi,

I've managed to sort out most of my problems. The remaining Windows Updates problem was actually caused by some old registry entries from when I once joined a domain.

But when I had solved that, I realized that I couldn't start the Security Center from the Action Center. But http://windowsxp.mvps.org/helpsvcfix.htm fixed that.

So now everything SEEMS to work and be clean, but I would be grateful if you could please take a quick look at the log file to see if there's anything.that looks like a leftover from the Trojan.

Thanks!

3 more replies
Relevance 53.71%

I cant reboot my computer without my computer getting to the windows screen and then restarting and going to system restore. I have down MalwareBytes scans and Microsoft Essential Security scans that came up with some trojans. Was told that it was removed but it still happens.

Answer:Everytime I reboot,It doesnt work. Last check sirefef trojan.

Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.OTL should now start. Change the following settings
Change Drivers to AllChange Standard Registry to AllUnder File Scans, change File age to 30Under the Custom Scan box paste this in
netsvcs
set /c
/md5start
consrv.dll
UXTHEME.DLL
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
Userinit.exe
Explorer.exe
Winlogon.exe
Regedit.exe
SCLWAPI.dll
/md5stop
%SYSTEMDRIVE%\*.*
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job
%systemroot%\assembly\tmp\U\*.* /s

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

24 more replies
Relevance 53.71%

I started having a problem with one of my computers this morning.
What looked like the Adobe Updater came up already downloading, and now the computer restarts by itself after about 2 minutes.
Security Essentials says it's Win64\sirefef.P, but the computer restarts before I can do anything, or before any programs can get rid of it.

I've ran the recommended programs, but the computer restarts before most of them can finish.

Here are the files from the programs that have finished or nearly finished.

Thanks in advance for any help.
 

Answer:Malware causing system to reboot? Possibly Win64\sirefef.P

Found out how to properly run FRST64, the correct log is attached.
 

2 more replies
Relevance 53.71%

Hey guys, I got this virus somehow. rarely happens. I tried running combofix and it says "the subsytem needed to support the image type is not present." I have tried everything I can. I am attaching the FRST logs. I would GREATLY appreciate some help on this. I cant get it to stop rebooting. Ive done alot of stuff with F8. tried recovery cd's I made specifically for this kind of thing and those dont even work. FAIL on MS part. so I have to rely on other sources. and you guys have never failed. me. Again my up most gratitude if you would look into these logs and see if something can be fixed.

Thank you so much.
Regards Dean.

Typing on a laptop. not easy.
 

Answer:Virus:win64/sirefef.B + Firewall Disabled + Constant Reboot. Cannot fix.

I think I fixed it I really have no idea how. but its not rebooting anymore. My firewall is back. I ran combofix after the PC would stay on. Running MS Safety scanner which found the virus's in the 1st place. I am just happy I can back up files at least. A combo of this site and others helped me. I wish I had more info for others. persistance on trying different stuff.

I hope this thread can be closed. Waiting for final scan.

fixed
 

2 more replies
Relevance 52.48%

My security alert says I have these four viruses and all attempts to clean them using microsoft forefront client security have failed. Besides, the computer shuts down every couple of minutes. Please help, I am frustrated.

Answer:Please help me rid my laptop of win32/sirefef.an, sirefef, sirefef.ao, and sirefef.ag

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 52.48%

A few days ago I started having issues with Google redirecting me to random ad websites, as well as Flash Player update popups. I updated my Microsoft Security Essentials, and since then it has been warning me with the presence of the file names in the topic title, and giving me the option to remove them. I select the removal option and everything is fine for a time but then MSE pops up again warning me of the same files. Anything you could do to help me get rid of these is greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Dave at 14:15:54 on 2012-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4031.2141 [GMT 10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\... Read more

Answer:Infected With Alureon.FP, Sirefef.B, Sirefef.W, Sirefef.AB & Sirefef.J

Download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itIf you can have an open Internet connection, allow it to download the latest Avast engine detections.If avast! antivirus is already installed, just do the next step.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Attach this file to a reply.

3 more replies
Relevance 52.48%

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] I hit "remove all" every time it appeared. BC Advisor responded "That?s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed ... Read more

Answer:Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Hi,

Do you have an empty USB flash drive?
We can try an alternative method.

Regards,
Georgi

more replies
Relevance 49.2%

Need help. I have 2 computers 1 active and other one is older. The one computer that is active family uses alot. This computer has a big issue.

When you start windows vista in safe mode or regular, it will shut down in 4 minutes when you see the desktop shown. I tried system restore on a 2 month date to hopefully to clean it up, but it did not work. Mircosoft security doesn't detect it until it reaches the 4 minute mark.

The computer gives a pop up window says "windows occurred a problem and will shut down." I tracked the problem and found win32/Sirefef.AB, Sirefef.r , Sirefef.AH.
All was detected on this computer. I tried to put in a malware detector on it, within the 2 minute mark before it shuts down, but it doesn't make it. So I am using my old computer for investigating. Files are backed up in full.

This old computer has Avast pro, Spybot, and malware bytes anti malware. I just recently took the hard drive out(from the infected computer) and placed it in a exo case to see if I can fix it that way with this old computer. Please help before I get deeper in a hole.
 

Answer:Never faced this issue before,can someone help.I have Sirefef.r sirefef.ah sirefef.ab

10 more replies
Relevance 47.56%

help me plz, virus has been detected almost every second or so in AVG scan and it keeps making copies of itself....i'm now running hijackthis and here are the specs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:16 AM, on 4/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG7\avgvv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,St... Read more

Answer:HELP VIRUS LOP every minute(found in AVG evey minute) using hijackthis HELP!!!PLZ

Hi Welcome to TSG!!
Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy the entire report and paste it in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
 

1 more replies
Relevance 47.56%

Hello all,

I'm a first time poster here and have come here looking for help in resolving my infection issue. I followed the directions in the read first thread and will post my logs. I am / was experiencing the following issues:


Firefox would redirect to various pages such as newsfudge.com. Since proceeding through the read first post, and also running goored? I have not noticed this recently.
Sometimes browsing seems to be incredibly slow, possibly related to the redirections.
Since attempting to troubleshoot this issue (Microsoft Security Essentials), it is believed that this is causing the following issue:

! You are about to be logged off
Windows has encountered a critical probelm and will restart automatically in one minute. Please save your work now.

If I let the computer restart itself, then this will keep happening. I have learned to "interrupt" it by running a normal restart after the message pops up. So far everytime the computer comes back I won't get the message. If I restart again, it will happen again. I haven't noticed anything in particular relating to this in the system log.

While not experiencing problems with the programs to resolve issues like this, I have noted that it has prevented me from patching games such as Rift. I believe this is related.
While working in safemode sometimes I noticed Adobe Flash 11.3 installer would frequently run trying to get me to install it. I do believe there was a massive security thr... Read more

Answer:Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Re: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restar

Welcome to Major Geeks!


Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Also allow Hitman to delete the C:\Windows\assembly\GAC_32\Desktop.ini piece of the infection
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
Reboot back into normal Windows and run another scan with HitmanPro and then attach the latest hitmanpro.zip log.
Also do the below:

Delete the below folders if found:
C:\Windows\installer\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}
C:\Users\Administrator\AppData\Local\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}


Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

C:\MGlogs.zip
Make sure you tell me how things are working now!
 

1 more replies
Relevance 47.15%

Referred from here: http://www.bleepingcomputer.com/forums/topic462175.html ~ OBI am running Windows Vista with Microsoft Security Essentials when i first encountered the problem. The virus shutdown MSE and the Microsoft update center, my firewall, etc. I downloaded MBAM, ran the scan, and it caught some files. Disinfected them, rebooted, rescanned, and files appeared again. (while running in safe mode with networking from the point after being infected). I followed the instructions here: http://www.bleepingcomputer.com/virus-removal/remove-security-shield first because this is where I believe all the problems began (that is after my wife clicking on an embedded link within FB). Upon completing the entire process, I noticed I still had the sirefef trojan, sirefef virus, and rootkit 0 access as I was running MSE and MBAM right before getting the "windows (Vista) encountered a critical error and will restart" loop. I have already downloaded frst.exe and ran it thru the usb drive connected to the infected cpu. I do not know what to do from this point on to get my cpu back to "healthy" and virus free status again ??????Running Vista 32 bit

Answer:Security SHield 2012, sirefef trojan, sirefef virus, and rootkit 0 access TROUBLE!

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

58 more replies
Relevance 46.74%

The internet comes and goes. I'll have pages load instantly for a minute or so and then the next click the pages times out. A minute of page refreshing and more time outs and then I'm back to blazing speeds again. This repeats again and again. Restarting the computer, cable modem and router seems to make no difference. I've tried IE, Firefox, Chrome and Safari, and again, no difference. I have 4 computers on my home network. This happens on all of them but for the sake of troubleshooting this I have physically disconnected 3 of them from the network. I've reset and reconfigured the router. I've removed the router and connected straight to the modem. No problems. Blazing connection. Added the router back in the loop, reboot and problem occurs immediately. So router problem, right? Yes, except I had the same problem with another router and replaced it with this one. What the...?Here's what I'm running:HP Pavilion Slimline s3200nAMD Athlon 64 X2 Dual Core Processor 4800+ 2.5 GHz3454 MB RAMNVIDIA nForce 10/100 Mbps Ethernet CardWired DLink EBR-2310 RouterMotorola S85120 Cable Modem (Comcast)Windows Vista Home Premium 32-BitAlso, a friend said I should run HijackThis and post the log file here. So here you go!****************************BEGIN LOG FILE*******************************Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:05:23 PM, on 8/28/2009Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning process... Read more

More replies
Relevance 46.74%

Hello Helper--First, thank you so much for your help. I hope this is not overly-thorough...My topic title reflects what has been found on my machine using a variety of tools-- but i still don't trust my machine is clean. I want to avoid reinstalling Windows since i don't have a current image disk, and have a lot of stuff installed. [Lesson learned: keep a current image disk on hand] ----> here's what happened: I updated Skype via a pop up window that appeared after closing my connection [to Skype]. Soon thereafter ESET [my antivirus] notified me it had quarantined a variant of the Win32 Sirefef.DN trojoan. I immediately Googled this and found i was continually redirected to a random Yellow Pages webpage. The only other strange symptom I had noticed until this point was that back on Dec 5 Defender notified me it had found Sirefef.J-- I wondered how that could have happened and found my firewall had been turned off. I reset it back to on, and had not noticed anything else weird until the skype incident above on Dec 28. ---> here's brief and likely sequentially inexact description of what i did to clean my machine-- i don't remember the order in which i did all these things and can't remember which tools found what, as i sat for ~ 20 hours straight working on it. But this is sort of what i did: Scanned with ESET - ESET reported it found this in operating memory: \GLOBAL??\fd4f11f3\Windows\SNtUninstall\KB60604S�... Read more

Answer:Sirefef variant.dn / Sirefef.J /Sirfef.B / 0 Access root kit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

53 more replies
Relevance 46.74%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 45.92%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 45.92%

Avast keeps detecting Win32:Sirefef-B, Win64:Sirefef-A, and sometimes Win32:Malware-gen.  Multiple scans detect & quarrantine files, but the trojan warning keeps popping up.  My friend ran ComboFix on it & claims that everything is fine now, but I'm concerned that he shouldn't have run ComboFix yet and also that it may not have actually removed this infection.  Here is my log from DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Michael Calhoun at 0:57:18 on 2013-10-07
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3034.1819 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\... Read more

Answer:Infected with Win32:Sirefef-BTT & Win64:Sirefef-A

Hello troyman5150 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 45.92%

My computer is restarting every minute due to "critical error" because of Sirefef. I went ahead and got both FRST.txt and Search.txt for services.exe which I will post below. Also, I want to know if it is likely that Sirefef might spread through USB stick or my home network to another Win 7 computer? I am guessing I got infected from a fake adobe flashplayer update, is that right?

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 19-07-2012 22:44:46
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] [x]
HKLM\...\Run: [LogMeIn Hamachi Ui] [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\CompooterUser\...\Run: [DAEMON Tools Lite] [x]
HKU\CompooterUser\...\Run: [Steam] [x]
HKU\CompooterUser\...\Run: [uTorrent] [x]
HKU\CompooterUser\...\Winlogon: [Userinit] [x]
HKU\CompooterUser\...\Winlogon: [Shell] [x]
HKU\Default\...\Run: [Sidebar] [x]
HKU\Default\...\Winlogon: [Userinit] [x]
HKU\Default\...\Winlogon: [Shell] [x]
HKU\Default User\...\Run: [Sidebar] [x]
HKU&#... Read more

Answer:Sirefef.R and Sirefef.AH infection with forced restart

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

6 more replies
Relevance 45.92%

Hello everyone,I just discovered this forum while searching for a fix to my problem. I stumbled upon this post [Thread @ Bleepingcomputer] and he has the exact same problem as I have, even though the name is different. It seems his problem was fixed through a few custom actions a member suggested to him, and I figured I was SOL with my problem and would need the help. So thanks in advance to whoever ends up helping me!So my PC was running a bit slow, but the thing that ticked me off was this popup that kept appearing randomly, even once triggering on youtube.com, a site which has never generated popups in the recent past. This nagged me so I launched MBAM and it found something called Trojan.Dropper.BCMiner and it failed to remove it after asking for a reboot. So I try a bunch of stuff, I don't really remember all I did since I fired in no precise order, ComboFix (which didn't start at first, but it did once I rebooted into safe mode later in the process), the kaspersky malware tool I've seen suggested a lot here(I don't remember the exact name), MBAM, a MSSE scan and SUPERAntiMalware. All of them failed at doing anything good. I also ran the avast MBR fix tool to no avail, it actually blue screened my PC.After I started reading on the topic linked earlier, I ran almost the exact same procedure, up to getting a FRST log, which I now do have. In the end, I'm having the same problem I had at the beginning, MSSE is crazy about the two desktop.ini files in... Read more

Answer:Infected with Win32/Sirefef.P and Win64/Sirefef.AB

Hi,I'd like to see an updated FRST log:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.... Read more

14 more replies
Relevance 45.92%

I recently downloaded a file and was later infected by Win32/Sirefef.AB and Win64/Sirefef.P viruses. Any help in resolving this issue would be greatly appreciated.
 

Answer:Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help

Welcome to MajorGeeks, Yellow77

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and f... Read more

3 more replies
Relevance 45.92%

Hi guys,

Since yesterday I'm getting alerts from Microsoft Security Essentials about trojans in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

First I tried bootable live CDs from AVG and Dr.Web, scanned and cleaned PC with Microsoft Security Essentials, after it didn't helped, smoked Google a little and found your forum.

Read "READ & RUN ME", and here are the log files.

Huge thanks in advance
 

Answer:Trojans: Win32/Sirefef.AB and Win64/Sirefef.P

and here are 3 other logs..
 

4 more replies
Relevance 45.92%

Hello. My antivirus picked up these two and I was wondering if anyone could help me remove them. I tried using dds to send you logs but no attach or dds txt pops up after using it,and I'm an amateur when using computers so I have no idea how to find those logs if they exist somewhere in my system. Hope someone can help.

Answer:win64 sirefef -btt and win32 sirefef - a detected

Hello SONYAns I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

4 more replies
Relevance 45.92%

Computer wasn't showing up on the local network, firewall was complaining it couldn't start and the service was missing. Function Discovery Resource Publication was refusing to start too. Skimmed some blogs, ran Combofix and let it do its thing (realise that I probably shouldn't have been so cavalier now) and the computer restarted and reappeared on the network. The firewall sprang back into life, windows downloaded several updates and security essentials detected Win32/Sirefef!cfg in two locations and Win64/Sirefef.AC in another. These were quarantined and deleted. Ran Malwarebytes antimalware which detected a couple of other things in install files (not running) and removed them. I subsequently ran combofix /uninstall and the computer seems to be behaving itself, but I want to be sure that I've actually removed the infection. DDS log below, many thanks in advance:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_35
Run by daniel at 21:23:25 on 2012-12-10
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.8183.5735 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows&... Read more

Answer:sirefef.ac and sirefef!cfg infection - firewall and various other services were gone

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 45.92%

Title pretty much says it all. Whenever my computer restarts if I don't do anything Microsoft Security Essentials will detect 2 infections, Sirefef.AH and Sirefef.R, and then inform me that I have a minute until the computer shuts down. If I end the process for Microsoft Security Essentials before any detections occur though then I can use my computer like normal. I'm guessing I need to use FRST to replace services.exe like in the other topics exhibiting this behavior, but since I can't interpret the logs I don't know how to fix this myself and admit that I could be way off.

On a possibly unrelated note, I've never been able to get ComboFix to run properly. I was asked to use it in a prior help topic on this site but was unable. Since then I've tried several times on my own to make it run to no avail. It always hangs after it informs me that it may take 10 minutes or more for badly infected systems and that text just hangs there even when I leave it on overnight.

I don't really care if ComboFix ever runs on my computer, but I figured it could be a symptom for something else so I'm listing it. Mostly I'd just like to be able to restart my computer without racing to stop processes before it gets stuck in a cycle.

Thanks in advance for whoever decides to help me.

Answer:Infected Sirefef.AH and Sirefef.R, computer keeps restarting

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

9 more replies
Relevance 45.92%

Hello. I have an XP machine, pretty old though works (except it is slow...probably some other residual trojan issues). I need your help!! Please assist.

I have Microsoft Security Essentials and MalwareBytes Anti-Malware on my machine. MSE detected the Sirefef.ac and Sirefef.ah trojans/viruses several days ago. It removed them. Then they appeared again and were removed again. This occurs every day. (FYI, MSE is always on and does an automatic daily scan. MBAM is run by me manually every serveral days.)

Over the weekend, I tried using various add'l software to get rid of these items & others though at the end of the day, it situation remains as noted above. Very frustrated that I can't do this on my own and am worried about my computer security. (I believe I used Eset, Kapersky TDSS killer, ccleaner, & itMan Pro)

First, if the sirefef items show as being removed, is my computer safe to use or should I turn it off? When I do get on the internet (when MSE shows all clean and green status), I do get to my default site, msnbc, can get to other sites, and don't get redirected.

I searched and found what seems like exactly the same problem in your forum.

topic450849 raised by MarkP, helped out by Broni, &
its successor topic, topic451285 helped out by Gringo.

Should I just follow and replicate what was noted on those forums or wait and follow specific instructions?

Thanks so much for trying to help me out!!

Kind regards,

Davidad

Answer:XP Infected w/ sirefef.ac & sirefef.ah & need help to permanently remove

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

9 more replies
Relevance 45.92%

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Answer:Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 45.92%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 45.92%

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

Answer:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

4 more replies
Relevance 45.92%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 44.28%

I've found similar problems on these forums and would greatly appreciate a Fixlist.txt
Please and Thank you as always.
 

Answer:Sirefef.P and Sirefef.AB Removal Needed

Welcome to Major Geeks!

We need some additional information to replace an infected system file.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
 

7 more replies
Relevance 44.28%

Hi

A friend of mine brought his pc to me. When I opened it after 1-2 minutes windows showed an error and said that pc will restart itself 1 minute later.
I have Microsoft Security Essentials. At the time i see the error Security Essentials briefs me about the virus. It happens at the same time. Virus container file is system32/services.exe.

I only have 2 logs because i had no time before it reboots. Sorry about my english.

Thanks.
 

Answer:Sirefef.r Sirefef.ah (PC Boot itself in 1-2 minutes)

Hello there. Your English is just fine.


This indicates you did not run the tool correctly. Follow the instructions further below to do so.





ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.Click to expand...

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Opti... Read more

9 more replies
Relevance 44.28%

Hello kind removal helpers,
I have an XP SP2 installation that was infected with sirefef, sirefef.AG and .AL. Forefront theoretically removed them after much trying, but now I cannot install any Microsoft update and would like to get this machine to SP3.Downloaded the installer but it failes with 'The requested lookup key was not found in any active activation context' Service Pack 3
". Tried the fix in 949377, but cannot even download the fix. I cannot connect to any shares to get the file from there either.
Please advice as to what I can do to get this thing cleaned up. Appreciate it.
 

Answer:recovery and repair from sirefef, sirefef.AG and AL

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Update Malwarebytes' Ant... Read more

1 more replies
Relevance 44.28%

The computer has run slowly for about a week now. Ran Malware Bytes and Microsoft Security Essentials. It picks up Sirefef.E and Sirefef.D and quarantines and removes it. It comes back within minutes. So frustrating and I am worried about other damage it may be doing!

Firefox will also randomly open a webpage - eminentsearch or Lycos or some other odd search page.

I appreciate any help you can offer!!!

Answer:sirefef.d and sirefef.e and eminentsearch redirect

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427706 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

8 more replies
Relevance 44.28%

I keep getting hit by the same trojans and trend micro keep telling me that it deletes malicious software that has titles like [email protected] and [email protected] But the files keep coming back, and trend micro makes me restart to get rid of them, or other files, sometimes. There was also one file that Trend micro couldn't get rid of and I have no idea what that was. Please help.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by DAvid at 18:18:23 on 2012-07-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.996 [GMT -4:00]
.
AV: Trend Micro Titanium *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.ex... Read more

Answer:TROJ_ZEROA.DUKKS, SIREFEF.DD, SIREFEF.QY

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 44.28%

My computer has the dreaded sirefef! I'm running Windows Vista Home Basic Service Pack 2. 32 bit.

A few weeks ago Microsoft security essentials (mse) stopped running. I tried to start it again but a message came up stating that the program didn't exist as an installed service. I also noticed that windows defender was off and it also claims it doesn't exist as an installed service (error 0x80070424). When I tried to reinstall windows defender, it popped up a message "Windows Defender does not need to be installed because it is included with windows vista. You can access it from the control panel."

The other day I decided to try to get Security Essentials running again by uninstalling it and reinstalling it. It worked and began to scan my computer. It found two threats: sirefef.AH and sirefef.R . I clicked clean threats and mse started cleaning them. HOWEVER, sometime after I got mse running again, I got a notice that read: "Windows has encountered a critical error and will automatically restart in one minute. Please save you work now." My computer restarted and I got that notice again. I tried safe mode and I still got that message and force restart, but it happened slower. In safe mode I ran mse again, it saw the same threats, I clicked clean, and It claimed they were cleaned (I know they aren't).

Eventually I chose the option "Repair Computer" from the F8 menu and went to a restore point 2 weeks earlier. (But not without ... Read more

Answer:sirefef.ah and sirefef.r have infected my laptop!

I'd like to see the comboFix log as well pleaseIt can be found at C:\combofix.txt (older logs at C:\qoobox\combofix2.txt)then please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" ... Read more

16 more replies
Relevance 44.28%

I've been noticing that randomly websites were opening pop-ups (advertisements) and that internet was running slow...decided to run MSE and noticed it was turned off. So I enabled it and immediately it displayed a threats detected message identifying Sirefef.ab (C:\Windows\assembly\GAC_32\Desktop.ini) and Sirefef.p (C:\Windows\assembly\GAC_64\Desktop.ini). After several removal attempts each of which resulted in Windows displaying a message that windows has encountered an unexpected error and will restart in a minute...I gave up on MSE.

After fooling around with other anti-virals i.e. Ad-aware, Malware bytes etc...I gave ComboFix a try and I've attached the log file. I think combofix screwed something up as I can't run any program anymore...everytime I start a program I get a message saying "Illegal operation attempted on a registry key that has been marked for deletion". What should I do now? ComboFix log file is attached.

Thanks!

Answer:Sirefef.ab and Sirefef.p Removal complications

Ok...so combofix had already removed quite a lot of stuff. I went ahead and removed the top two drivers as well - the ones with randomly generated names. Reboot my computer and everything seemed fine, all programs running fine as well. So I re-installed MSE and ran a full-scan, it identified the sames files in assembly folder and a few others, removed those files...another reboot and everything has been fine since then. No program crashes, slow internet or pop-ups.

3 more replies
Relevance 44.28%

I noticed that my desktop icons stopped saving their size and position. This set off personal alarms about my computer so I decided to run a full AVG scan. Completed the AVG scan and it got rid of things, but my desktop icons still kept behaving abnormally.Decided to try MSE (uninstalled AVG), and that did a full scan and identified the Sirefef virus.Now everytime I boot and everytime I open firefox or do anything internet related, it pops with two warnings about Sirefef AB and P infecting the Desktop.ini files in the file:C:\Windows\assembly\GAC_32\ folders. Removal does nothing.Ran a MBAM quick scan and detected a Trojac.Dropper.BCMiner which I tried to remove and it just comes back.I run W7-64bit so I did not create a GMER log. I posted a bunch of logs from the tools I've seen other people have the poster's run, so I could cover all the bases with one swoop. Thanks in advance and I appreciate any help.-----------------------------DDS pasted below -----------------------------.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32Run by CCM at 16:59:48 on 2012-06-02.============== Running Processes ===============..============== Pseudo HJT Report ===============.BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-... Read more

Answer:Sirefef.AB / Sirefef.P - Desktop.ini Infections

Hi,Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bi... Read more

12 more replies
Relevance 44.28%

Hello,

I've been infected with Sirefef for a week now, tried system restore, Full system scans in safe mode, tdss killer, numerous Sirefef removal tools from Kaspersky, Eset, Symantec to no avail. MS SE still founds Sirefef reincarnations from time to time.

please help!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by The Great Dark Lord at 2:12:28 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8159.4495 [GMT 4.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Wind... Read more

Answer:Sirefef.P Win32 / Sirefef.Y Win64

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

33 more replies
Relevance 44.28%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 44.28%

Hello,

I'm infected with two versions of Sirefef (AC and AH). Windows Security Essentials pops up a message that one of them was found. The virus is always in a *.dll file in C:/Windows/System32. WSE doesn't manage to remove it completely.
I also have a Redirecter, that opens FireFox tabs, when I search for something on Google. It mostly opens this site: http://nutritioncuisine.com/videos/?src=113636&utm_source=AD_113636_5_304654&utm_medium=cpv&utm_campaign=NCvideosCPV113594 (You probably should not open this without an script blocker...), but this virus isn't even found by WSE....

I'm using Windows Vista Home Basic SP2.

Please help me. I don't know what to do to remove the viruses.

Florian

Answer:Im infected with Sirefef.AH & Sirefef.AC and a Redirecter...

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

1 more replies
Relevance 43.87%

MSE informs me of the presence of 3 Trojans:

Win32/Sirefef
Win32/Sirefef.AG
Win32/Sirefef.AL

MSE is quarantining these items and reports that they have been removed; however they have not. They provoke a response from MSE about once every 4 minutes (all 3 reappear simultaneously). MSE quarantines and then "removes" but the removal is not successful. I first noticed the MSE activity shortly after restarting the computer yesterday. Other items were detected at this time and appear to have been successfully removed - I think there were 2 other items - and I think their names were "FavPak" or similar and something with "adware" in its name.
The 3 Sirefef items continue to appear in MSE log every 4 minutes or so (simultaneously).
My machine is running Vista Home Premium (and that is about the extent of my knowledge).

I followed the trail from MSE to Microsoft help pages to Bleeping Computer (a well-trodden path I guess).
I am not particularly computer literate but I am able to follow complex instructions precisely.

Grateful for any assistance that you can give,

Thanks,

Phil

Answer:Sirefef, Sirefef.AG and Sirefef.AL infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

24 more replies
Relevance 42.23%

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

Answer:win32/sirefef.ab, win64/sirefef.p and win64/sirefef.m

Hi Gringo
Thanks for your help. my firewall is down and i am lost on what to do. i have done what you asked and hope its ok.
what is this sirefef ? seems like it wants to stay.

Scan result of Farbar Recovery Scan Tool Version: 16-05-2012
Ran by SYSTEM at 16-05-2012 19:15:34
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10151968 2010-05-20] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113296 2010-03-29] (NEC Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\... Read more

8 more replies
Relevance 41.82%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 41.82%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 41.82%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 41.82%

Hello! Please Help!

My antivirus started to warn me about blocking stuff a few days ago. I was using Bitdefender Total Security 2012. At first it found the threats and removed them but since this morning it started acting more weird. It wasn't able to remove them. I think it showed among others a trojan.sirefef.fy. I've changed my antivirus with Norton 360 but it didn't solve anything. I've installed Malwarebytes Anti-Malware which found another 2 trojans and rootkit.0Access. A second scan showed nothing. Norton 360 showed 2 threats and removed them. At last I ran Eset Online Scanner which now shows 7 threats. I'm really worried that my pc is compromised. I'm using Windows 7 with Firefox. Windows Update seems to be deactivated too.

Answer:trojan.sirefef.fy, Sirefef.Fd Trojan, rootkit.0Access problem

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

8 more replies
Relevance 41%

I have a laptop with Windows 7 Ultimate 32 bit. MSE reports both Sirefef.AH and Sirefef.R. I have tried to remove them using both MSE and MalwareBytes with no success. The computer reboots before DDS or GMER can run. What should I do next?

Answer:Sirefef.AH and Sirefef.R infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

4 more replies
Relevance 41%

Hi,

Am i able to get some guidance or help regarding the above Malware please?? My PC is restarting itself every few minutes and none of my usual tools are removing these files.

I am running Win7 professional x32

Please find attached the frst.txt and search.txt files as per other threads on this malware.

Thanks in advance.
 

Answer:Help removing Sirefef.R & Sirefef.AH

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

Save fixlist.txt to your flash drive.
You should now have both fixlist.txt and FRST.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

You must now follow these procedures please. READ & RUN ME FIRST. Malware Removal Guide
 

18 more replies
Relevance 41%

Hello,
I just found this forum while searching for a solution for this problem and saw the amazing help you provide to people, so I registered and hoping that someone will be able to help me.

I run windows 7 professional x64 and use MSE and the built in windows firewall. I noticed a couple of days ago that the MSE realtime protection was disabled and I couldn't enable it. After that I noticed that the Windows Firewall and Windows Defender was disabled too and I couldn't enable them, just got a 0x80070424 error message.

I uninstalled and reinstalled MSE and it found Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P infections. When I want it to remove them it tells me the computer needs to restart and forces a restart in 1 min. After restart it just starts over again. So I manually disabled the realtime protection to not have the restarts 1 min after windows starts.

I also tried Malwarebytes Antimalware and it too finds rootkits/trojans and wants to restart the computer to get rid of them but they show up again after the restart.

I've uninstalled Daemon Tools Lite and pasting the logs from DDS and from MBAM.

My sincerest thanks for any help,
Fredrik

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by Fredrik at 14:58:08 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.46.1033.18.4094.2516 [GMT 2:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F34... Read more

Answer:Sirefef.AB and Sirefef.P infection, please help

Please run the followingRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

12 more replies
Relevance 41%

Sorry for another post on this but from my reading, the solution is computer specific.

I have the same problem as others, Microsoft antivirus finds the Sirefef files, removes and has me reboot only to find the files have returned.

I appreciate any help you can give me.

I believe the files needed are attached.

Joe
 

Answer:Another Sirefef.AB and Sirefef.P Post

I ran new version of combofix and computer seems to be clean.

I've attached combfix.log

Thanks:cool
 

4 more replies