Computer Support Forum

Sirefef Infection/1 minute reboot

Question: Sirefef Infection/1 minute reboot

I am having the same trouble as many others. Can't do anything cause computer restarts every minute. Here are my FRST logs. Thank you in advance for the help.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 13:18:19
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [174104 2009-09-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [151064 2009-09-08] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-16] (Realtek Semiconductor)
HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [258512 2012-01-31] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Dad\...\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM.exe" [x]
HKU\Dad\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Mom\...\Run: [CSmileys] "C:\Program Files\Crawler\Smileys\CSmileysIM.exe" [x]
HKU\Mom\...\Run: [Google Update] "C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-14] (Google Inc.)
HKU\Mom\...\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 [x]
HKU\Mom\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-06] (Google Inc.)
HKU\Mom\...\Run: [MusicManager] "C:\Users\Mom\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [13806592 2012-06-01] (Google Inc.)
HKU\Mom\...\Policies\system: [DisableCMD] 0
HKU\Mom\...\Policies\system: [NoDispAppearancePage] 0
HKU\Mom\...\Policies\system: [NoDispBackgroundPage] 0
HKU\Mom\...\Policies\system: [NoDispSettingsPage] 0
HKU\Raymond\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-06] (Google Inc.)
HKU\Raymond\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2012-02-09] (Valve Corporation)
HKU\Renee\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-12-06] (Google Inc.)
HKU\Renee\...\Run: [Google Update] "C:\Users\Renee\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-09-09] (Google Inc.)
HKU\Renee\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\Dad\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Mom\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Renee\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

================================ Services (Whitelisted) ==================

2 AntiVirMailService; "C:\Program Files\Avira\AntiVir Desktop\avmailc.exe" [342480 2012-01-31] (Avira Operations GmbH & Co. KG)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2012-01-31] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2012-01-31] (Avira Operations GmbH & Co. KG)
2 AntiVirWebService; "C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE" [463824 2012-01-31] (Avira Operations GmbH & Co. KG)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2348352 2012-02-29] (NVIDIA Corporation)
2 pcCMService; "C:\Program Files\Common Files\Motive\pcCMService.exe" [361472 2012-06-14] (Alcatel-Lucent)
2 PLFlash DeviceIoControl Service; C:\Windows\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
2 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [382272 2012-02-29] (NVIDIA Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 WMZuneComm; "c:\Program Files\Zune\WMZuneComm.exe" [x]
2 ZuneNetworkSvc; "c:\Program Files\Zune\ZuneNss.exe" [x]
3 ZuneWlanCfgSvc; "c:\Program Files\Zune\ZuneWlanCfgSvc.exe" [x]

========================== Drivers (Whitelisted) =============

3 adptahci; C:\Windows\system32\DRIVERS\adptahci.sys [321584 2009-08-17] (Adaptec, Inc.)
2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [74640 2012-01-31] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137416 2012-01-31] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2011-09-16] (Avira GmbH)
3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [80824 2012-02-15] (DEVGURU Co., LTD.(www.devguru.co.kr))
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 rt61x86; C:\Windows\System32\DRIVERS\WMP54Gv41x86.sys [376160 2010-04-07] (Ralink Technology, Corp.)
3 siigPCIeSer; C:\Windows\system32\DRIVERS\siigPCIeSer.sys [82432 2008-06-27] (SIIG, Inc.)
3 siigPPort; C:\Windows\system32\DRIVERS\siigPPort.sys [82048 2008-09-22] (SIIG, Inc.)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
3 ssudmdm; C:\Windows\System32\DRIVERS\ssudmdm.sys [181432 2012-02-15] (DEVGURU Co., LTD.(www.devguru.co.kr))
1 MpKsl8a54de7e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E6B2C43C-7AE3-44E4-A01F-27B29B834735}\MpKsl8a54de7e.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============

2012-07-25 13:18 - 2012-07-25 13:18 - 00000000 ____D C:\FRST
2012-07-24 19:08 - 2012-07-24 19:08 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-24 19:01 - 2012-07-24 19:01 - 10288512 ____A (Microsoft Corporation) C:\Users\Raymond\Desktop\mseinstall.exe
2012-07-24 15:40 - 2012-07-24 15:40 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-24 12:43 - 2012-07-24 13:23 - 00000000 ____D C:\Users\Raymond\Downloads\[ www.Speed.Cd ] - The.Avengers.Earths.Mightiest.Heroes.S02E13.Along.Came.a.Spider...720p.WEB-DL.DD5.1.AAC2.0.H264-Reaperza
2012-07-24 11:06 - 2012-07-24 12:22 - 180811802 ____A C:\Users\Raymond\Downloads\Avengers.Earths.Mightiest.Heroes.S02E14.Behold...The_Vision-Oj.avi
2012-07-24 11:05 - 2012-07-24 11:53 - 61361376 ____A C:\Users\Raymond\Downloads\Avengers.Earths.Mightiest.Heroes.S02E14.Behold...The_Vision-Oj.avi.part
2012-07-24 10:51 - 2012-07-24 10:58 - 00000000 ____D C:\Users\Raymond\Downloads\The.Avengers.Earths.Mightiest.Heroes.S02E12.Secret.Invasion.720p.WEB-DL-Reaperza
2012-07-24 10:50 - 2012-07-24 12:02 - 00000000 ____D C:\Users\Raymond\Downloads\The.Avengers.Earths.Mightiest.Heroes.S02E10.Prisoner.of.War.720p.WEB-DL-Reaperza
2012-07-24 10:49 - 2012-07-24 12:06 - 00000000 ____D C:\Users\Raymond\Downloads\The.Avengers.Earths.Mightiest.Heroes.S02E11.Infiltration.720p.WEB-DL-Reaperza
2012-07-24 10:48 - 2012-07-24 12:03 - 00000000 ____D C:\Users\Raymond\Downloads\The.Avengers.Earths.Mightiest.Heroes.S02E09.Nightmare.In.Red.720p.WEB-DL-Reaperza
2012-07-24 10:48 - 2012-07-24 10:48 - 00000000 ____D C:\Users\Raymond\Downloads\The.Avengers.Earths.Mightiest.Heroes.S02E08.The.Ballad.of.Beta.Ray.Bill.720p.WEB-DL-Reaperza
2012-07-24 10:05 - 2012-07-24 10:06 - 26023297 ____A C:\Users\Raymond\Downloads\Avengers Vs X-Men 008 (2012) (Digital) (Zone-Empire).cbr
2012-07-24 10:03 - 2012-07-24 10:17 - 00000000 ____D C:\Users\Raymond\Downloads\The.Dark.Knight.Rises.2012.CAM.NEW.XVID-26K
2012-07-24 05:57 - 2012-07-24 05:57 - 00158008 ____A C:\Windows\Minidump\072412-37081-01.dmp
2012-07-23 12:27 - 2012-07-23 12:27 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-07-23 12:27 - 2012-07-23 12:27 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-07-23 12:27 - 2012-07-23 12:27 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2012-07-23 12:24 - 2012-07-23 12:24 - 00022393 ____A C:\Users\Mom\Documents\Elaine Cover Letter 2012.odt
2012-07-23 12:01 - 2012-07-23 12:01 - 00160056 ____A C:\Windows\Minidump\072312-29109-01.dmp
2012-07-21 20:10 - 2012-07-21 20:10 - 00151816 ____A C:\Windows\Minidump\072212-33758-01.dmp
2012-07-21 08:55 - 2012-07-21 08:55 - 00001833 ____A C:\Users\Raymond\Desktop\skse_loader - Shortcut.lnk
2012-07-21 08:53 - 2012-07-21 08:53 - 00000000 ____D C:\Users\Raymond\Desktop\skse_1_05_09
2012-07-17 21:43 - 2012-07-17 21:43 - 00000412 ____A C:\Users\Mom\Documents\Peach Cobbler.txt
2012-07-16 11:33 - 2012-07-16 11:33 - 00000514 ____A C:\Users\Mom\Documents\Apple Crunch.txt
2012-07-11 21:04 - 2012-07-11 21:04 - 00893936 ____A (Oracle Corporation) C:\Users\Mom\Downloads\chromeinstall-7u5.exe
2012-07-11 11:34 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 11:34 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 11:34 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 11:34 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 11:34 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 11:34 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 11:34 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 11:34 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 11:34 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 11:34 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 11:34 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 11:34 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 11:34 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 11:33 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 11:31 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 10:28 - 2012-07-11 10:29 - 00325160 ____A C:\Users\Raymond\Downloads\skse_1_05_09.7z
2012-07-11 00:43 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 00:43 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 00:43 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 00:43 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 00:43 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 00:43 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 00:43 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 00:43 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 00:43 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 00:43 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 09:35 - 2012-07-10 09:39 - 00000000 ____D C:\Users\Raymond\Downloads\[UsaBit.com] - The.Amazing.Spiderman.2012.CAM.XviD-HOPE
2012-07-10 09:33 - 2012-07-10 09:34 - 27120251 ____A C:\Users\Raymond\Downloads\Avengers Vs X-Men 007 (2012) (Digital) (Zone-Empire).cbr
2012-07-07 13:33 - 2012-07-07 13:33 - 12621696 ____A (Microsoft Corporation) C:\Users\Mom\Downloads\mseinstall.exe
2012-07-06 12:16 - 2012-07-06 12:16 - 00000766 ____A C:\Users\Mom\Documents\Gwinnett Water Payment 070612.txt
2012-07-05 15:50 - 2012-07-05 15:50 - 00001508 ____A C:\Users\Mom\Documents\Camarones Enchilados.txt
2012-07-05 12:46 - 2012-07-05 12:46 - 00001488 ____A C:\Users\Mom\Documents\Mortgage Contact for Refinance.txt
2012-07-04 14:05 - 2012-07-04 14:59 - 1410823344 ____A C:\Users\Raymond\Downloads\Eureka.S05E11.720p.HDTV.x264-IMMERSE.mkv
2012-07-03 13:42 - 2012-07-03 13:43 - 00027136 __ASH C:\Users\Renee\Downloads\Thumbs.db
2012-06-26 18:35 - 2012-06-26 18:35 - 00000117 ____A C:\Users\Mom\Documents\Granny's Cake.txt
2012-06-25 14:21 - 2012-06-25 14:21 - 00005209 ____A C:\Users\Mom\Documents\pdf.txt

============ 3 Months Modified Files ========================

2012-07-24 23:58 - 2011-05-28 05:23 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-24 23:58 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-24 23:58 - 2009-07-13 20:39 - 00096925 ____A C:\Windows\setupact.log
2012-07-24 23:50 - 2011-05-28 05:23 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-24 23:49 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-24 19:35 - 2009-07-13 20:53 - 00032546 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-24 19:13 - 2009-07-13 20:34 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-24 19:13 - 2009-07-13 20:34 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-24 19:10 - 2012-03-31 07:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-24 19:09 - 2010-07-26 12:48 - 01597969 ____A C:\Windows\WindowsUpdate.log
2012-07-24 19:08 - 2011-01-28 08:44 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 19:08 - 2010-01-12 15:09 - 00831866 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-24 19:01 - 2012-07-24 19:01 - 10288512 ____A (Microsoft Corporation) C:\Users\Raymond\Desktop\mseinstall.exe
2012-07-24 18:53 - 2011-09-09 08:58 - 00002580 ____A C:\Users\Renee\Desktop\Google Chrome.lnk
2012-07-24 18:48 - 2011-09-09 08:57 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1044502931-3939311878-2316524138-1005UA.job
2012-07-24 18:23 - 2010-08-14 06:44 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1044502931-3939311878-2316524138-1001UA.job
2012-07-24 15:03 - 2011-09-09 08:57 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1044502931-3939311878-2316524138-1005Core.job
2012-07-24 12:22 - 2012-07-24 11:06 - 180811802 ____A C:\Users\Raymond\Downloads\Avengers.Earths.Mightiest.Heroes.S02E14.Behold...The_Vision-Oj.avi
2012-07-24 11:53 - 2012-07-24 11:05 - 61361376 ____A C:\Users\Raymond\Downloads\Avengers.Earths.Mightiest.Heroes.S02E14.Behold...The_Vision-Oj.avi.part
2012-07-24 10:06 - 2012-07-24 10:05 - 26023297 ____A C:\Users\Raymond\Downloads\Avengers Vs X-Men 008 (2012) (Digital) (Zone-Empire).cbr
2012-07-24 05:57 - 2012-07-24 05:57 - 00158008 ____A C:\Windows\Minidump\072412-37081-01.dmp
2012-07-24 05:57 - 2011-08-29 22:38 - 260136816 ____A C:\Windows\MEMORY.DMP
2012-07-23 18:29 - 2010-08-01 18:15 - 00001843 ____A C:\Users\Mom\Documents\Richard Manross Resume 2010 Text.txt
2012-07-23 18:28 - 2010-08-01 18:15 - 00000693 ____A C:\Users\Mom\Documents\Richard Manross References 2010.txt
2012-07-23 13:49 - 2010-08-14 22:28 - 00276480 __ASH C:\Users\Mom\Documents\Thumbs.db
2012-07-23 12:24 - 2012-07-23 12:24 - 00022393 ____A C:\Users\Mom\Documents\Elaine Cover Letter 2012.odt
2012-07-23 12:01 - 2012-07-23 12:01 - 00160056 ____A C:\Windows\Minidump\072312-29109-01.dmp
2012-07-21 20:10 - 2012-07-21 20:10 - 00151816 ____A C:\Windows\Minidump\072212-33758-01.dmp
2012-07-21 08:55 - 2012-07-21 08:55 - 00001833 ____A C:\Users\Raymond\Desktop\skse_loader - Shortcut.lnk
2012-07-18 06:23 - 2010-08-14 06:44 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1044502931-3939311878-2316524138-1001Core.job
2012-07-17 22:51 - 2010-08-01 18:15 - 00001266 ____A C:\Users\Mom\Documents\Buffalo Chicken Wings.txt
2012-07-17 21:43 - 2012-07-17 21:43 - 00000412 ____A C:\Users\Mom\Documents\Peach Cobbler.txt
2012-07-16 11:33 - 2012-07-16 11:33 - 00000514 ____A C:\Users\Mom\Documents\Apple Crunch.txt
2012-07-12 12:06 - 2010-08-01 18:15 - 00002883 ____A C:\Users\Mom\Documents\Recommendations.txt
2012-07-11 21:07 - 2012-04-25 10:10 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-07-11 21:07 - 2012-04-25 10:10 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-07-11 21:07 - 2012-04-25 10:10 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-07-11 21:07 - 2012-04-25 10:10 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-07-11 21:04 - 2012-07-11 21:04 - 00893936 ____A (Oracle Corporation) C:\Users\Mom\Downloads\chromeinstall-7u5.exe
2012-07-11 21:03 - 2012-06-23 11:28 - 00005209 ____A C:\Users\Mom\Documents\Elaine Resume Text 062312.txt
2012-07-11 17:10 - 2012-03-31 07:57 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-11 17:10 - 2011-05-18 16:17 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-11 12:04 - 2009-07-13 20:33 - 00285856 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 11:32 - 2010-01-13 06:16 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 10:29 - 2012-07-11 10:28 - 00325160 ____A C:\Users\Raymond\Downloads\skse_1_05_09.7z
2012-07-10 09:34 - 2012-07-10 09:33 - 27120251 ____A C:\Users\Raymond\Downloads\Avengers Vs X-Men 007 (2012) (Digital) (Zone-Empire).cbr
2012-07-07 13:33 - 2012-07-07 13:33 - 12621696 ____A (Microsoft Corporation) C:\Users\Mom\Downloads\mseinstall.exe
2012-07-06 12:16 - 2012-07-06 12:16 - 00000766 ____A C:\Users\Mom\Documents\Gwinnett Water Payment 070612.txt
2012-07-05 15:50 - 2012-07-05 15:50 - 00001508 ____A C:\Users\Mom\Documents\Camarones Enchilados.txt
2012-07-05 12:46 - 2012-07-05 12:46 - 00001488 ____A C:\Users\Mom\Documents\Mortgage Contact for Refinance.txt
2012-07-05 12:15 - 2012-02-11 16:04 - 00000870 ____A C:\Users\Mom\Documents\Bacon and Cheese Muffins.txt
2012-07-05 12:10 - 2010-08-23 20:04 - 00001279 ____A C:\Users\Mom\Documents\7UP Poundcake.txt
2012-07-04 14:59 - 2012-07-04 14:05 - 1410823344 ____A C:\Users\Raymond\Downloads\Eureka.S05E11.720p.HDTV.x264-IMMERSE.mkv
2012-07-03 13:43 - 2012-07-03 13:42 - 00027136 __ASH C:\Users\Renee\Downloads\Thumbs.db
2012-06-26 18:35 - 2012-06-26 18:35 - 00000117 ____A C:\Users\Mom\Documents\Granny's Cake.txt
2012-06-25 14:21 - 2012-06-25 14:21 - 00005209 ____A C:\Users\Mom\Documents\pdf.txt
2012-06-23 10:50 - 2012-06-23 10:50 - 00000045 ____A C:\Users\Mom\Documents\USA JOBS SignOn.txt
2012-06-23 10:38 - 2012-06-23 10:38 - 00004480 ____A C:\Users\Mom\Documents\WALTON EMC 062312.htm
2012-06-23 09:00 - 2012-06-23 09:00 - 00136780 ____A C:\Users\Mom\Documents\ATT BILL PAY 052312.htm
2012-06-23 08:56 - 2012-06-23 08:56 - 00029026 ____A C:\Users\Mom\Documents\Mortgage Payment for May and June 2012.htm
2012-06-23 08:48 - 2012-06-23 08:49 - 00979144 ____A (Solid State Networks) C:\Users\Mom\Downloads\install_reader10_en_mssa_aih.exe
2012-06-21 22:43 - 2012-06-21 22:43 - 00000058 ____A C:\Users\Mom\Documents\Collections, etc Password.txt
2012-06-20 10:33 - 2012-06-20 10:33 - 00029259 ____A C:\Users\Mom\Documents\State Farm 06202012 Insurance Bill Pay.htm
2012-06-19 16:52 - 2012-06-19 16:52 - 00005209 ____A C:\Users\Mom\Documents\Resume 2012.txt
2012-06-15 19:52 - 2012-06-15 19:52 - 00002191 ____A C:\Users\Public\Desktop\AT&T Yahoo! Web Mail.lnk
2012-06-15 19:49 - 2012-06-15 19:49 - 00385904 ____A C:\Users\Mom\Downloads\ATT_SST.exe
2012-06-14 10:51 - 2010-08-01 18:15 - 00027573 ____A C:\Users\Mom\Documents\Elaine Manross Resume 2009-b.odt
2012-06-11 18:40 - 2012-07-11 11:31 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 00:43 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 08:00 - 2012-06-08 08:00 - 00000083 ____A C:\Users\Mom\Documents\Direct TV signon.txt
2012-06-05 21:05 - 2012-07-11 00:43 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 00:43 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 00:43 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 15:31 - 2012-06-02 15:31 - 00599432 ____A C:\Users\Renee\Downloads\VideoConverterSetup.exe
2012-06-02 14:19 - 2012-06-24 11:16 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 11:16 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 11:16 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 11:15 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 11:15 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-24 11:16 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-24 11:15 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 13:08 - 2012-06-02 13:08 - 00049432 ____A C:\Users\Renee\Downloads\subwayhobo.jpeg
2012-06-02 11:19 - 2012-06-24 11:15 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-24 11:15 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 11:34 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 11:33 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 11:34 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 11:34 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 11:34 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 11:34 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 11:34 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 11:34 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 11:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 11:34 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 11:34 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 11:34 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 11:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 11:34 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-11 00:43 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 00:43 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 00:43 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 00:43 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 00:43 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-29 06:00 - 2012-05-29 06:00 - 00000100 ____A C:\Users\Mom\Documents\PayPal INF by Gail.txt
2012-05-26 06:40 - 2012-05-26 06:40 - 00739808 ____A (Google Inc.) C:\Users\Mom\Downloads\musicmanagerinstaller.exe
2012-05-24 09:50 - 2012-05-24 09:50 - 00002264 ____A C:\Users\Mom\Documents\suntrust 052412.txt
2012-05-23 16:12 - 2012-05-23 16:12 - 00033727 ____A C:\Users\Mom\Documents\Daddy's enlistmenr record.htm
2012-05-20 14:04 - 2012-05-20 14:04 - 00000066 ____A C:\Users\Mom\Documents\Application Food STAMPS.txt
2012-05-17 07:09 - 2012-05-17 07:09 - 00000050 ____A C:\Users\Mom\Documents\WALTON EMC PASSWORD.txt
2012-05-17 07:07 - 2012-05-17 07:07 - 00005238 ____A C:\Users\Mom\Documents\Walton EMC 051712.htm
2012-05-15 06:00 - 2012-05-15 05:57 - 123137160 ____A (NVIDIA Corporation) C:\Users\Raymond\Downloads\296.10-desktop-win7-winvista-32bit-english-whql.exe
2012-05-11 13:30 - 2012-05-11 13:30 - 07336648 ____A (Blizzard Entertainment) C:\Users\Raymond\Downloads\Diablo-III-8370-enUS-Installer-downloader.exe
2012-05-11 11:32 - 2012-05-11 11:32 - 00021506 ____A C:\Users\Mom\Documents\OneStopPlus.com Credit Card - Pay Online 051112.htm
2012-05-11 11:05 - 2010-07-26 13:19 - 00320546 ____A C:\Windows\PFRO.log
2012-05-11 11:03 - 2012-03-15 11:00 - 00002023 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-05-11 10:51 - 2012-05-11 10:49 - 85409344 ____A C:\Users\Mom\Downloads\avira_professional_security_en.exe
2012-04-30 20:44 - 2012-06-13 06:53 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 08:49 - 2012-04-30 08:49 - 06674008 ____A (Adobe Systems Inc.) C:\Users\Mom\Downloads\Shockwave_Installer_Slim.exe
2012-04-27 19:17 - 2012-06-13 06:53 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 10:45 - 2012-04-27 10:45 - 00000164 ____A C:\Users\Mom\Lisa Goss Barnett Rentz.txt
2012-04-27 10:37 - 2012-04-27 10:37 - 00000594 ____A C:\Users\Mom\Mortgage march 2012.htm

ZeroAccess:
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}\@
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}\L
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}\n
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}\U
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}\L\[email protected]

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 2038.21 MB
Available physical RAM: 1605.7 MB
Total Pagefile: 2038.21 MB
Available Pagefile: 1610.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: (Windows) (Fixed) (Total:297.8 GB) (Free:131.45 GB) NTFS
3 Drive f: () (Removable) (Total:0.97 GB) (Free:0.97 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 995 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 297 GB 301 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System NTFS Partition 300 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Windows NTFS Partition 297 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 995 MB 118 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 995 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 08:45

======================= End Of Log ==========================
***************************************************************************************************************************************************************

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 13:21:08
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-07-24 23:49] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Relevance 100%
Preferred Solution: Sirefef Infection/1 minute reboot

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Sirefef Infection/1 minute reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster. NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer. NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{5bef9bf3-c91d-62db-16ca-e104b9851dd3}
HKU\Dad\...\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM.exe" [x]
HKU\Mom\...\Run: [CSmileys] "C:\Program Files\Crawler\Smileys\CSmileysIM.exe" [x]
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system On Vista or Windows 7: Now please enter System Recovery Options. Run FRST64 and press the Fix button just once and wait. The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.Gringo[/b]

5 more replies
Relevance 77.43%

Got another one for you... Can't stay logged into windows because of a critical error, and rebooting 1 minute later.Here is my frst.txt content...Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01Ran by SYSTEM at 27-07-2012 20:21:28Running from I:\Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16333856 2009-07-14] (NVIDIA Corporation)HKLM\...\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui [190472 2009-09-16] (Logitech Inc.)HKLM\...\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKAiO2MUI.exe [3240448 2011-12-10] (Eastman Kodak Company)HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)HKLM-x32\...\Run: [ABNotify] C:\Program Fi... Read more

Answer:Another Sirefef Infection/1 minute reboot

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
1 evrhwdch; \??\C:\Windows\system32\drivers\evrhwdch.sys [x]
2012-07-27 17:17 - 2012-07-27 17:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2243DA0DB5B173E7
2012-07-27 17:17 - 2012-07-27 17:17 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\wwogfass.sys
2012-07-27 15:35 - 2012-07-27 15:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2BADF4F3E3ADF4FB
2012-07-27 15:20 - 2012-07-27 15:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3BADF02DBC08DE8D
2012-07-23 11:00 - 2012-07-23 11:00 - 00311296 ____A C:\Users\Courtney_2\AppData\Local\plogolc.exe
C:\Windows\Installer\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
C:\Users\Courtney_2\AppData\Local\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
... Read more

13 more replies
Relevance 88.97%

Hi! Had good results with this forum; back again!Working on my nephew's computer, I noticed Google searches were being redirected. Microsoft didn't catch the initial problem so I ran Malwarebytes and Eset Online scanner which found and clean some problems. Rebooted. Microsoft Security Essentials found Sirefef trojan, cleaned and rebooted. Now every I boot the computer it says it will "restart automatically in one minute" (both safe and normal mode)OS is VistaAV is MSEAdvanced Boot options does NOT give me "Repair you computer" optionI do not have the Windows installation disk, although it might be possible to find with a lot of hunting.Please help!(As an aside, the reason I went to my nephew's computer was to check on the router... On my laptop my Symantec Endpoint Protection was giving me popups that it a "port scan attack is logged" coming from the router. Since it was being blocked I figured I would use the other computer to view router's admin page.)

Answer:Sirefef (one minute reboot)

Update:
I booted to safe mode and brought up the task manager with a CTRL-ALT-DEL at the first opportunity. I used the processes tab to locate the MSI process and ended it. This allowed me to run DDS and GMER to get the following logs.

Awaiting help,
Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by COREY at 20:04:59 on 2012-08-12
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2047.1652 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.... Read more

33 more replies
Relevance 87.33%

Hello,

I have a Windows 7 Home Premium 64-bit laptop which is infected with the Win32/sirefef.ah trojan. As soon as the Microsoft Security Essentials launces it causes the system to give this error: WINDOWS HAS ENCOUNTERED A CRITICAL PROBLEM AND WILL RESTART AUTOMATICALLY IN ONE MINUTE and then reboots. This happens a regular boot and in safe mode. MSE cannot be uninstalled either. I've read other threads and would like to know when program needs to be run first so i may supply the log files. Your help is apprecaited.

thank you,
-kA

Answer:win32/sirefef.ah trojan (causes one minute reboot)

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

4 more replies
Relevance 83.64%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 82.82%

Hi, Last night I was browsing the internet and attempted to download something from a website that seemed legitimate, but when I went to scan the file with MSE, I was shocked to find that MSE was turned off, and I could not get it to work again.
I forget the exact error displayed, but I immediately disconnected the internet, uninstalled MSE, and then re-installed, reconnected to the net, updated MSE and was immediately confronted with a security warning that my system was infected with "Sirefef.Y".

MSE tried to clean the infection, but before it could complete the process, I recieved a Windows Critical error, stating that my system has encountered a problem and will automatically restart in 60 seconds, which it did.
This is a cycle that continues to occur, and pretty much immediately after boot, which gives me very little time to do anything about the problem.
Please help!

I am running Windows 7 Home Premium 64bit.

I have tried starting the computer in safe mode but get the same problem - each time I receive the Windows error and the system reboots
Any help you could provide would be appreciated a great deal.

Thanks in advance.

RK.

Answer:Sirefef infection - Computer restarts in 1 minute everytime I boot it

download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst6... Read more

8 more replies
Relevance 82%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 77.9%

Hi all, i'm new to the community here so that's my first post unfortunatelly. Well the problem started with windows firewall being disabled and i was getting and error. So i decided to install mse when the reboots started... Is there a "fast" solution? my system is w7 x64 and i have bitdefender security center..

Any help you could provide would be appreciated a great deal.

Thanks in advance.

Apostolis

Answer:Sirefef.y infection and reboot every 60 sec

Doing a little research i found what has to be done with Farbar so i did that and i will post the log file.

Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04
Ran by SYSTEM at 18-06-2012 13:50:46
Running from G:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [BDAgent] "C:\Program Files\Bitdefender\Bitdefender 2012\bdagent.exe" [1067256 2012-04-01] (Bitdefender)
HKLM\...\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [310272 2010-07-29] (Saitek)
HKLM\...\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [158208 2010-07-29] (Saitek)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [WindowsLiveDeviceIntegrator] C:\Program Files (x86)\Windows Live\Device Integrator\wldi.e... Read more

14 more replies
Relevance 75.85%

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

Answer:Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

22 more replies
Relevance 73.39%

Problem started as Live Platinum fake anti-virus. I thought I successfully removed this with MBAM, etc. But shortly thereafter MSE alerted that it detected Sirefef.R & Sirefef.AH. Now everytime I reboot I get a message the Windows has encountered a critical problem and the computer shuts down after 1 minute. I followed the steps on the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, but I am not able to run DDS or GMER scans because the system reboots before they finish. I am stuck!
OS is Windows 7, 32-bit.
Thanks in advance.

Answer:Sirefef.R, Sirefef.AH, computer shuts down after 1 minute

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

23 more replies
Relevance 70.93%

Last night, I noticed MSE was not running and I could not update or run a scan. I uninstalled and reinstalled MSE. It scanned and detected Sirefef.R and Sirefef.AH and a message appeared that the computer would shutdown in one minute. The same thing happens in safe mode.

I am unable to run READ AND RUN ME FIRST because of the shutdowns (sending this from another computer).

I ran FRST.exe and have attached the file.

Thanks
 

Answer:Sirefef.R & Sirefef.AH - roboots after 1 minute

Please do the below as we need to locate a backup file to replace an infected one.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
 

18 more replies
Relevance 68.06%

A few days ago, I got the Sirefef.AB and Sirefef.W virus on my computer. I had no idea the severity of my problem until after I reinstalled MSE which has now caused my computer to constantly restart. I have used Farbar to create a FRST.txt and Server.txt file, though I do not know if that will help on this site in the removal of this blasted virus, and I will wait to post it until I have been instructed if I should do so. I really am at a loss here. I am not that great with computers, and could really use some help.

Edit: Added note, for the short while before I reinstalled MSE, I was having redirection problems when clicking on Google links. It also restarts in Safe Mode.

Answer:Sirefef.AB and Sirefef.W for Windows 7 Infected Computer with Constant Reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 65.19%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 64.37%

Hi, im new to this forum. I think I have the exact same problem as in this post:
http://www.bleepingcomputer.com/forums/topic455881.html

But I thought it would be better to post a new topic, correct me if im wrong.

My computer boot, and after a few seconds it says that it found a potential risk "Sirefef", and after 1 minute it reboots.
Any help is appreciated!

Attached you find scan results from Farbar Recovery Tool.

Answer:Sirefef with automatic reboots after 1 minute

This post can ble closed, I think I solved the problem by doing the same steps as in the duplicate post.

2 more replies
Relevance 64.37%

Hello, this is my first time in this forum. My first indication of a problem with my computer was that MSE was not started, and would not start when I attempted to do so. I uninstalled MSE, and then reinstalled it. During the quick scan it attempted during the installation, it let me know it found the serious threat of Sirefef.AH. I told it to remove the problem and it began to do so, but before it was done, a windows message popped up: "Windows has encountered a critical problem and will restart in automatically in one minute. Please save your work." I then have approximately 60 seconds to do anything before the computer reboot itself. Now, it is giving me this error and reboot every time I restart the computer. It does this even in safe mode. I did manage to download the TDSSKILLER .zip file to my phone, then copied the file to the infected computer, extracted it, got it installed and started the scan before the computer rebooted itself.

I have searched through this forum for help but I can seem to find anyone else with the problem of having only a 60 second window to fix this malware issue.

I am running Windows 7 on a 32-bit system. Thank you in advance for your help!!

Answer:Sirefef.AH with automatic reboots after 1 minute

Lets give it a try. You will need a USB Flash drive.For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Click on Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

27 more replies
Relevance 63.96%

Computer wasn't showing up on the local network, firewall was complaining it couldn't start and the service was missing. Function Discovery Resource Publication was refusing to start too. Skimmed some blogs, ran Combofix and let it do its thing (realise that I probably shouldn't have been so cavalier now) and the computer restarted and reappeared on the network. The firewall sprang back into life, windows downloaded several updates and security essentials detected Win32/Sirefef!cfg in two locations and Win64/Sirefef.AC in another. These were quarantined and deleted. Ran Malwarebytes antimalware which detected a couple of other things in install files (not running) and removed them. I subsequently ran combofix /uninstall and the computer seems to be behaving itself, but I want to be sure that I've actually removed the infection. DDS log below, many thanks in advance:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_35
Run by daniel at 21:23:25 on 2012-12-10
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.8183.5735 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows&... Read more

Answer:sirefef.ac and sirefef!cfg infection - firewall and various other services were gone

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

16 more replies
Relevance 63.96%

My computer is restarting every minute due to "critical error" because of Sirefef. I went ahead and got both FRST.txt and Search.txt for services.exe which I will post below. Also, I want to know if it is likely that Sirefef might spread through USB stick or my home network to another Win 7 computer? I am guessing I got infected from a fake adobe flashplayer update, is that right?

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 19-07-2012 22:44:46
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] [x]
HKLM\...\Run: [LogMeIn Hamachi Ui] [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\CompooterUser\...\Run: [DAEMON Tools Lite] [x]
HKU\CompooterUser\...\Run: [Steam] [x]
HKU\CompooterUser\...\Run: [uTorrent] [x]
HKU\CompooterUser\...\Winlogon: [Userinit] [x]
HKU\CompooterUser\...\Winlogon: [Shell] [x]
HKU\Default\...\Run: [Sidebar] [x]
HKU\Default\...\Winlogon: [Userinit] [x]
HKU\Default\...\Winlogon: [Shell] [x]
HKU\Default User\...\Run: [Sidebar] [x]
HKU&#... Read more

Answer:Sirefef.R and Sirefef.AH infection with forced restart

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

6 more replies
Relevance 63.96%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 63.96%

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Answer:Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 63.55%

Hi, folks. I'm from Brazil and I had the same problem as kesposito. I was searching for a solution on the web and I found this site and read this topic.I noticed there was a successful, but complex and long procedure which I coudn't follow, and the instructions were given to that specific case, so I decided to join BleepingComputer and create this topic. I'd like to receive instructions to have a removal of the virus (sirefef.AH).Just a question: I'm using my desktop computer to write this post; the infected computer is a laptop. Master Surgeon General said that a USB Flash drive would be needed. Mine was connected to the laptop after it was infected. Is it OK if I use that flash drive?Thank you in advance for help.

Answer:Sirefef.AH with automatic reboots after 1 minute (part 2)

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

63 more replies
Relevance 62.73%

Why didn't I come here first? That's what I keep asking. In any event, here's my situation. Several weeks ago, I had something pop up identified as "Live Security Platinum". Knowing it was a virus, I was able to run Malwarebytes and it seemed to get rid of it. Then the computer got caught in this endless loop of the message popping up with "Windows has encountered a critical problem & will restart automatically in one minute. Please save your work now". Sure enough, it cycles and continuously reboots.

MSE always pops up as trying to clean the infection showing as Trojan:Win32/Sirefef.AH
Details show file:C:\Windows\system32\services.exe-> and container file C:\Windows\system32\services.exe

Looking for advice elsewhere, I ran Kapersky Rescue Disk and it seemed to get rid of a few things as well, but the loop remains. I have tried safe mode and unplugging network/internet cable, all to no avail. I then found your site and, I again say why didn't I come here first?!?

I have reviewed many of the logs for similar problems as well as the prep guide and so forth. Here is what I have to report. I tried to turn off windows firewall and it initially came back with the message "Due to an unidentified problem, windows cannot display Windows Firewall Settings." After messing around trying to do some other things, it now says "The Windows Firewall service is not running."... Read more

Answer:One Minute Critical Problem, Sirefef Virus, Vista SP2

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
HKLM\...\Run: [] [x]
C:\Windows\Installer\{b073be15-c1cf-2181-9e6c-84bd04262a1f}
C:\Users\Phil\AppData\Local\{b073be15-c1cf-2181-9e6c-84bd04262a1f}
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboF... Read more

14 more replies
Relevance 62.73%

I was using my grandmother's computer tonight and somehow infected by Live Security Platinum. I used Malwarebytes to remove it by following the directions here.It appeared to work, but after restarting my computer, I keep getting the error, "Windows has encountered a critical problem and will restart automatically in one minute." I open up Microsoft Security Essentials to see what is causing the problem, and the two programs "Win64/Sirefef.Y" and "Win64/Sirefef.B" are labeled as dangerous. MSE cannot scan the computer quickly enough to remove those programs before the computer is restarted. Details provided by MSE shows that "file:C:\Windows\system32\services"I have seen other questions about this problem, but I wasn't able to find anything for Vista, only Windows 7. The solution also appears very specific in each case, with much pasting of results, so I didn't want to mess up my grandmother's computer by following directions that were not exactly correct. I have another computer and USB drive available. Thanks in advance for the help!

Answer:Windows Vista will restart automatically in one minute, and I have sirefef

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 62.32%

Hello all, Through various Google searches involving my problem, this appears to be the best forum to post on, so here I go. I am running Windows 7 x64 and will outline the following:1) I noted that I began getting various browser redirects from sites when searching through Google (I have not checked if this was elsewhere). The browser would redirect me to websites such as newsfudge.com.2) From this point I decided to attempt to run some scans. I had Microsoft Security Essentials installed however noted that it claims the service isn't running. When attempting to enable the service, it stated the service was not installed.- This was rectified. I uninstalled and reinstalled the application successfully.3) Upon attempting to run both Malwarebytes and MSE (Security Essentials from here on out), I would reboot into the computer and began to notice that I would get a dialogue box that would explain my computer is about to be logged off because of a critical error.- Attempting to restore "Last known good configuration" did not resolve this.- This does not occur while in Safe Mode, which is where I am posting this topic.- I haven't been able to find a specific error within the System Logs so if there should be one stated please tell me what to look for.- I believe this occurs when MSE detects several infections, which appear to be different variants of sirefef.-- The last two variants of sirefef detected by MSE are: Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.... Read more

Answer:Windows 7: Reboots after 1 minute, browser redirects, sirefef variants

Hi,Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64... Read more

30 more replies
Relevance 62.32%

Hello everyone, this is a repost of a thread from a few years ago.

Through various Google searches involving my problem, this appears to be the best forum to post on, so here I go. I am running Windows 7 x64 and will outline the following:

1) I noted that I began getting various browser redirects from sites when searching through Google (I have not checked if this was elsewhere). The browser would redirect me to websites such as newsfudge.com.
2) From this point I decided to attempt to run some scans. I had Microsoft Security Essentials installed however noted that it claims the service isn't running. When attempting to enable the service, it stated the service was not installed.
- This was rectified. I uninstalled and reinstalled the application successfully.
3) Upon attempting to run both Malwarebytes and MSE (Security Essentials from here on out), I would reboot into the computer and began to notice that I would get a dialogue box that would explain my computer is about to be logged off because of a critical error.
- Attempting to restore "Last known good configuration" did not resolve this.
- The same dialogue box pops up when I try to restart in Safe Mode, I am currently posting this from my work computer.
- I haven't been able to find a specific error within the System Logs so if there should be one stated please tell me what to look for.
- I believe this occurs when MSE detects several infections, which appear to be different variants of sirefef.
-... Read more

Answer:Windows 7: Reboots after 1 minute, browser redirects, sirefef variants

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 61.5%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm did. Please... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter Note: Replace letter e with... Read more

13 more replies
Relevance 61.5%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm. Please ins... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 61.5%

This is my first post. Thanks in advance for any help you can provide!

The Microsoft Security Essentials icon in the tray turned red, as if the service was turned off. I was having trouble getting it turned back on, so I went to the control panel and uninstalled the service. I downloaded a new copy from the Microsoft website and reinstalled.

Soon after installing, I got a message saying that threats had been cleaned off the computer and then another saying that 2 threats had been quarantined. The threats quarantined were:

Virus:win32/sirefef.R and Trojan:win32/sirefef.AH

As this threat message pops up, I then get a window open telling me that Windows has encountered a critical error and will shut down in one minute.

It restarts, stays on for about 90 seconds, but then shutdowns again with the same message about detecting sirefef.R and .AH

Here are the logs:

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 11-08-2012 01:07:48
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 64bit

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

16 more replies
Relevance 58.22%

MSE informs me of the presence of 3 Trojans:

Win32/Sirefef
Win32/Sirefef.AG
Win32/Sirefef.AL

MSE is quarantining these items and reports that they have been removed; however they have not. They provoke a response from MSE about once every 4 minutes (all 3 reappear simultaneously). MSE quarantines and then "removes" but the removal is not successful. I first noticed the MSE activity shortly after restarting the computer yesterday. Other items were detected at this time and appear to have been successfully removed - I think there were 2 other items - and I think their names were "FavPak" or similar and something with "adware" in its name.
The 3 Sirefef items continue to appear in MSE log every 4 minutes or so (simultaneously).
My machine is running Vista Home Premium (and that is about the extent of my knowledge).

I followed the trail from MSE to Microsoft help pages to Bleeping Computer (a well-trodden path I guess).
I am not particularly computer literate but I am able to follow complex instructions precisely.

Grateful for any assistance that you can give,

Thanks,

Phil

Answer:Sirefef, Sirefef.AG and Sirefef.AL infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

24 more replies
Relevance 57.81%

Specs: P4 2.6 Invidia FX 5200Ultra 512 Mbs PC 3200 on XP Home SP2
AV-Avast Home (uninstalled upgraded to latest version)
Firewall-Sygate Pro (uninstalled upgraded to latest version)
Inernet Connection-External USB ADSL modem (PPoE) @3Mbps

Problem 1: XP Home reboots in the 3+ minute range. Once it gets to the 'Starting Windows XP' screen, it loads fine. Some damnthing is hanging.

Problem 2: MY comp is running slow. Expeciially on the net. Task manager is reporting no excess network use. IE 6 acts like it's on a 56k modem. I use Mozilla FireFox, which runs fine, but my wife is a IE 6 fanatic. Shareaza and WinMX load slowly and take a minute or more to change tabs. BitTornado (latest versions all) loads and runs fine, but seems to hang after an hour or so. It stops updating speeds, seeds, peers, etc. It also closes slowly. Once I get online, the comp slams on the brakes. Mozilla is the only app that seems unaffected. Sygate is also logging a lot of portscans. 7 in the in the last hour or so. All from the same IP address. I've tried a reboot to get a new IP adress, but the port scans start up agan after about an hour, last about an hour then stop. So far I've resisted the urge to backrace since it'll only egg the @$$hole on.....though if anyone has an ICBM I could use..........

NOTE I read the rules and I'm not asking for help with my P2P apps. Just mentioning them since they are affected. I installed the other ones since BT was acting flakey... Read more

Answer:XP 3+ minute reboot.

12 more replies
Relevance 56.99%

I have a laptop with Windows 7 Ultimate 32 bit. MSE reports both Sirefef.AH and Sirefef.R. I have tried to remove them using both MSE and MalwareBytes with no success. The computer reboots before DDS or GMER can run. What should I do next?

Answer:Sirefef.AH and Sirefef.R infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

4 more replies
Relevance 56.99%

Somehow this got picked up on one of the office computers!
Did a lot of digging & tried several 'fixes', none of which has worked.
First off, the shutting down feature of this keeps me from getting very far with any of the fixes.
I've tried going to a command prompt & running shutdown -a, but I either get a response that a shutdown isn't in progress or one already is & it can't be stopped.

Kaspersky Rescue disk, seemed to find something on first scan, but didn't fix it & any scan since shows nothing.
Running Malwarebytes from the Hiren's CD doesn't find it (the message that it can't be run from mini XP was confusing...)

MS Security Essentials picks up on them, but of course, the computer shuts down before anything can be done.

At this point, I am almost ready to format & re-install, but figured I'd try my luck here & am open to suggestions!

Answer:Sirefef.R & Sirefef.AH infection...

Welcome texan767, Appears we will need a deeper look. Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't run (it may not on a 64 bit system) skip it and move on.Let me know if that went well.

1 more replies
Relevance 56.99%

Thanks for the quick reply...I went thru the list of items to do but the machine has become unstable and I have unplugged it from the web and am using a laptop to communicate. I have run the FRST64 and have the FRST log. Will that be enough to begin or do I need the DDS log as well. My MSE has identified the sirefef.AB and sireshef.P infection.

I am using Win 7 64 Pro

The computer in question will not allow the firewall to be reengaged it comes up with error code 0x80070424

Thanks
Russ

Answer:sirefef.AB and sirefef.P infection

Hello, I have also have run DDS and have the Defogger log as well...

16 more replies
Relevance 56.99%

I have a laptop with Windows 7 Ultimate 32 bit. MSE reports both Sirefef.AH and Sirefef.R. The laptop reboots every minute. I have tried to remove them using both MSE and MalwareBytes with no success. The computer reboots before DDS or GMER can run. What should I do next. I have both an FRST log and TDSKiller log. I could not get DDS to complete prior to reboot.

FRST log

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 06-08-2012 22:09:57
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-24] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM\...\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup [3387392 2007-11-26] (Leader Technologies)
HKLM\...\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [147456 2008-10-08] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade De... Read more

Answer:Sirefef.AH and Sirefef.R infection

TDSKiller log
17:30:54.0696 1852 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
17:30:54.0727 1852 ============================================================
17:30:54.0727 1852 Current date / time: 2012/08/06 17:30:54.0727
17:30:54.0727 1852 SystemInfo:
17:30:54.0727 1852
17:30:54.0727 1852 OS Version: 6.1.7601 ServicePack: 1.0
17:30:54.0727 1852 Product type: Workstation
17:30:54.0727 1852 ComputerName: BAINE-ACER
17:30:54.0727 1852 UserName: Boyce
17:30:54.0727 1852 Windows directory: C:\Windows
17:30:54.0727 1852 System windows directory: C:\Windows
17:30:54.0727 1852 Processor architecture: Intel x86
17:30:54.0727 1852 Number of processors: 2
17:30:54.0727 1852 Page size: 0x1000
17:30:54.0727 1852 Boot type: Safe boot
17:30:54.0727 1852 ============================================================
17:30:56.0007 1852 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:30:56.0007 1852 Drive \Device\Harddisk1\DR1 - Size: 0x7AF00000 (1.92 Gb), SectorSize: 0x200, Cylinders: 0xFA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:30:56.0007 1852 ============================================================
17:30:56.0007 1852 \Device\Harddisk0\DR0:
17:30:56.0007 1852 MBR partitions:
17:30:56.0007 1852 \Device\Harddisk0\DR0\Partition0: MBR, Typ... Read more

3 more replies
Relevance 56.99%

Hello,
I just found this forum while searching for a solution for this problem and saw the amazing help you provide to people, so I registered and hoping that someone will be able to help me.

I run windows 7 professional x64 and use MSE and the built in windows firewall. I noticed a couple of days ago that the MSE realtime protection was disabled and I couldn't enable it. After that I noticed that the Windows Firewall and Windows Defender was disabled too and I couldn't enable them, just got a 0x80070424 error message.

I uninstalled and reinstalled MSE and it found Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P infections. When I want it to remove them it tells me the computer needs to restart and forces a restart in 1 min. After restart it just starts over again. So I manually disabled the realtime protection to not have the restarts 1 min after windows starts.

I also tried Malwarebytes Antimalware and it too finds rootkits/trojans and wants to restart the computer to get rid of them but they show up again after the restart.

I've uninstalled Daemon Tools Lite and pasting the logs from DDS and from MBAM.

My sincerest thanks for any help,
Fredrik

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by Fredrik at 14:58:08 on 2012-08-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.46.1033.18.4094.2516 [GMT 2:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F34... Read more

Answer:Sirefef.AB and Sirefef.P infection, please help

Please run the followingRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

12 more replies
Relevance 56.99%

XP pro freezes in one to three minutes after I reboot with no applications running. Num Lock light will go off and on with toggle.  Hard drive light is active for a couple of minutes but then goes to a steady blink-the cursor will not activate anything and eventually I get an hourglass that never goes away until I reboot.Does not freeze in Safe ModeI have defragged and run memtest--OKWas able to nurse it through Norton update and a current scan--found no viruses. Once I got the virus scan going it did a complete scan-5-10 minutes and did not freeze??BOXX computer with  Dual XEON 3.06 with 4 GB ram (ram from BOXX) Nvidia Quadro FX 1000 128MB graphics card with 2 73GB 10000 rpm scsi drives XP Pro.The unit is under warranty, and the manufacturer is sending me 2 new drives (one with new OS installed).  However, I somehow do not believe the drives are the problem and I may lose all of my programs and data for nothing.Suggestions greatly appreciated. Roger

Answer:XP freezes about one minute after reboot

I would think it would of been a virus.Your computer should be very fast with those specs.Try another virus scan like the trend micro house call.Norton is no good it never finds anything that's why i got rid of it a year ago. R0SS

1 more replies
Relevance 56.99%

Windows Vista 32 bit on a dell computer, we got this nasty virus that kept telling us that windows will restart in 60 seconds, making it very hard to stop.

we rebooted in safe mode and even in safe made it still rebooted after a short time with networking or without. Even the command line safe mode got this message, and no amount of shutdown -a would stop it.

By perusing your excellent forums, we were able to restore to a sysstem snapshot from the top thing in safe mode F8 and get rid of the reboot, and we got some files off with malware bytes, but then the virus attacked and disabled malware bytes.

Because we think this may be a java exploit, we killed all the jre, and the computer runs ok, but we would really like to clean it up.

Attached are dds logs and gmer logs.

Answer:sirefef ac ag reboot

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopIMPORTANT....1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Do not install any other programs until this if fixed.How to : Disable Anti-virus and Firewall...http://www.bleepingcomputer.com/forums/topic114351.htmlDouble click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt Note:Do not mouse click ComboFix's window while it's running. That may cause it to stallNote: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.htmlNote: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.===Third party programs if not up to date can be the ca... Read more

5 more replies
Relevance 56.99%

Help, my computer automatiquely reboot after 1 minute.
MSSE say sirefef infection

here the FRST.TXT file.

Thanks

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by W7 at 23-07-2012 09:11:53
Running from C:\
Service Pack 1 (X86) OS Language: French Standard
Attention: Could not load system hive.Erreur?: Le processus ne peut pas acc?der au fichier car ce fichier est utilis? par un autre processus.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-07-23 09:35 - 2012-07-23 09:11 - 00000000 ____D C:\FRST
2012-07-23 09:12 - 2012-07-23 09:12 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\yyhuknpj.sys
2012-07-23 09:08 - 2012-07-23 09:08 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\guwslplh.sys
2012-07-23 08:24 - 2012-07-23 08:24 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2012-07-23 08:19 - 2012-07-23 08:36 - 00000000 ____D C:\Windows\erdnt
2012-07-22 23:32 - 2012-07-22 23:32 - 00892164 ____A (Farbar) C:\FRST.exe
2012-07-22 23:05 - 2012-07-23 08:36 - 00000000 ___SD C:\32788R22FWJFW
2012-07-22 23:03 - 2012-07-23 08:36 - 00000000 ____D C:\Qoobox
2012-07-22 23:02 - 2012-07-22 23:02 - 04582474 ____R (Swearware) C:\Users\W7\Desktop\z.exe
2012-07-22 21:22 ... Read more

Answer:HELP Sirefef reboot

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.FRST needs to be run from the Recovery environmentplease follow these directionsdownload Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer... Read more

2 more replies
Relevance 56.99%

Before anything, thank you for your help.

I have a net-book that is infected with variants of sirefef as reported by MSE. Upon power-up, the computer loads, and reboots in a loop every 60 seconds or so. When I log in, I can get very little done (as in running utilities) before the system has a critical error and reboots.

I tried to complete the README. Installed ccleaner. (system rebooted) Ran CCLeaner, system rebooted before the scan could complete.

Downloaded (RougeKiller, Malwarebytes, Hitman Pro, and MG tools) from a working computer, moved to usb drive, copied to correct locations on infected pc. (working between reboots)

Ran RougeKiller: System rebooted during scan, no log.
Ran MalwareBytes: System rebooted during scan, just after I was able to get scan to start, no log.
Ran HitMan Pro: System rebooted during scan, no log.

Ran MGtools: this is the only one that produced a log. I don't know if the program finished, the cmd window did not close and did not have a "completed" message when the computer rebooted. (I did make the mistake of running this twice (after a reboot), contrary to the instructions. I have included both logs as a precaution. Log Attached

Thank you again for your help,
Greg
 

Answer:sirefef and 60 second reboot

As soon as you boot into windows, open a command prompt and type in:
shutdown /a

Now see if you can run the scans.
 

11 more replies
Relevance 56.17%

I have a several month old Dell Dimension 4600 running WinXP Home, with dual monitors, which runs great, I'm happy. If I have to reboot for some reason, everything shuts down fine, but system shows the F2/ F12 screen briefly, then goes to black screen with the underline cursor
for 5 minutes! After 5 minutes, the HD kicks in, XP loads normally and everything runs fine. Scanning through the various BIOS setup items, Fast Boot is on, system is set to boot from C: first, then CD; and there dont seem to be any "weird" or obviously wrong settings of any kind. Any suggestions?
I have also run msconfig and gone though turning off start up programs, etc. but once loading XP begins, everything runs fine, just takes 5 minutes to start...
 

Answer:5 minute reboot - BIOS issue?

8 more replies
Relevance 56.17%

I recently downloaded the Sims 3 Pets from Origin. Think it's possibly not a coincidence that when I searched through the similar topics for the virus that people had the Sims 3 in their files. I checked the file location for something MalwareBytes picked up and it was created the day I downloaded this game. I can't seem to get rid of this virus. Microsoft Security Essentials, Windows Firewall and Windows Update will not turn on. When I scan with M Security Essentials and with M Security Scanner it gets to a certain point and then comes up saying there is a critical error and the laptop will restart in one minute. What can I do to get rid of this virus? I've uninstalled M Security Essentials now and have installed MalwareBytes. My details are:

64 Bit Operating System
Dell Inspiron N7010
Windows 7 Home Premium

The same restarting seems to happen on MalwareBytes. It's got to the same file on a quick scan three times:

C:\Windows\Installer\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\U

There are three files inside:

[email protected]
[email protected]
[email protected]

Once it's identified it, it says it urgently needs to restart.

Microsoft Security Essentials identified it as Win64/Sirefef.B

From MalwareBytes:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Bethany :: BETHANY-PC [administrator]

Protection: Disabled

11/08/2012 19:46:55
... Read more

Answer:Win64/Sirefef.B - MSE, Windows Firewall, Windows Update will not turn on - Restarts every minute when attempt to use M Security...

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

29 more replies
Relevance 55.76%

Just this afternoon, I went to use my PC and got the following error; Windows has experienced a critical error and will restart in 1 minute.

Running Windows 7 64 bit....With automatic updates so it should be the latest version of Windows...

My anti virus (Avira 2012 Internet Suite) pops up and states I have 2 viruses. But before the AV can do anything (delete the files) Windows shuts down....I finally got into Safe Mode and tried running my AV, while it was scanning I then got a BSOD. Had to start all over again; Running MalwareBytes now before trying to do the AV scan, just to see if MalwareBytes catches anything.

I have uninstalled the only application I've installed in 3 months, and problem still persists...

I have a Hijackthis log if it needs to be viewed...Just let me know and I'll upload it.
 

Answer:Windows has a critical error and will reboot in 1 minute

when you get the 1 minute warning, try typing from the start menu "shutdown -a" or "shutdown /a", and the countdown should go away, and you should be able to remove the viruses.

Be sure to disable your system restore backups (delete them), or the viruses may come back. Re-enable them as soon as you are sure you have gotten rid of the viruses.
 

1 more replies
Relevance 55.76%

I have a lenovo ideapady400 that is now almost 2 months old. Earlier today, I noticed that it did not properly go into hibernate when I shut it. The keyboard was still lit up, with no LCD display (including not if I hit Fn+F2) and with the fan at high rpms. I shut it down by holding the powerbutton, and upon rebooting it, it took over 4 minutes to get back to the desktop. It now requires the 4 minutes every time I restart, and it never goes into hibernate with the lid closed (it must be shut down by the power button).Fearing that the computer may be having a serious issue, I tried to make a backup with Onekey recovery, which failed to write a backup (repeatedly). It returned an error saying it couldn't access the partition. I then uninstalled onekey recovery, downloaded it again from the lenovo website. Now when I run onekey recovery it says my system is not able to write a backup.I am now stuck in a tough spot of not being able to backup my laptop and and not being able to do a recovery without losing everything. On the lenovo support site, when I select startup issues, the feedback it gives me is "Thank you for your question. This is a known problem and a solution is being developed. Please check back for updates."Anyone have any ideas what could be causing the main (shutdown/startup) issue?As the laptop is under warranty, should I just send it back to Lenovo?

Answer:ideapad y400 won't shutdown/4 minute reboot

hi hansweeks,
 
If you PC came with a HDD+SSD drive, try to boot into the BIOS (by repeatedly pressing F2 on startup) and check if both the HDD and SSD are detected (if you're missing one, that HDD might be faulty and needs to be replaced.
 
If both HDD's are detected (or if your PC came with only a SATA HDD) try to run an HDD diagnostic. Try HD Tune to run HDD error checking in WIndows or create a bottable HDD diagnostic (see steps below).
  
1. Download the the UBCD ISO
2. Burn the ISO using imgburn
3. Insert the CD that you just created into the defective computer and reboot
4. Upon reboot, continuously press F12 and boot from the ODD/CD-DVD
 
To burn the diagnostic software on a flashdrive, follow this guide
 
Note:
If you find any errors, you will need send the unit to Lenovo for service. Support phone list here.
 
For data backup, you can copy / paste your files on a USB flashdrive / hard drive or use this software to clone your hard drive. 
 
 
Hope this helps 

3 more replies
Relevance 55.76%

my l 50 works great on average for 25 to 30 minutes and cuts all alone, I turn it on again and it re works between 25 to 30 minutes all the time if I'm careful I can restart it before cutting the 25 minutes as many times that I want it and it works normally could you help me? thank you.

More replies
Relevance 55.76%

I have been beating my head against the wall with this one.
Just got a Gateway E-9520T for a customer. We spent the last week configuring it, installing updates, etc--but it's pretty much vanilla Windows Server 2003 R2 32-bit with exchange 2003. We haven't installed any of their customer applications yet.

During the setup and testing we did everything from leaving it on at night, to shutting down over night, rebooting, etc...

A few days ago it suddenly started taking around 30 minutes to boot and 30 minutes to shutdown.

During the startup/shutdown the RAID array is going crazy. Tons of file access.
When starting up it performs POST correctly, starts booting Windows (2003 Server Logo, with the little scroll thing at the bottom), and then the screen flashes like it's about to switch to graphical mode. But it hangs there with a blank screen for 30ish minutes.

The morning this started we hadn't installed any new drivers, updates, applications, or anything. Just fired the box up.

Gateway thought it might have been the MegaRAID card, so they sent a new one. No change. MegaRAID says their latest firmware fixes an issue that sounds like this problem. Updated the MegaRAID firmware, and it's still taking forever to boot.

What I've done:
Waited forever for the system to come up, rollback driver updates for the RAID card. (no effect)
Booted off Gateway's recovery CD (at their request) and used it to reinstall the factory default drivers. (no effec... Read more

More replies
Relevance 55.76%

OS - Windows 7 32-bitI have obtained the Sirefef trojan on my laptop and would like assistance in getting rid of it.My situation is very similar to the one found in this topic.I am afraid to use the Internet on my infected laptop, so I hope to use a USB flash drive to solve the problem (as in the above topic).Let's tackle this problem together! You guys are great at what you do, and I admire your expertise. I'm ready to follow your lead!Thanks,Stratego

Answer:Sirefef Trojan ||| Reboot Loop

I do not have access to the System Recovery Options because I have misplaced my Windows 7 installation disc.

However, I still managed to use Farbar Recovery Scan Tool, although it was not in a recovery environment.
I think I should be okay.

The following is my FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by Zack at 15-08-2012 16:40:14
Running from F:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-08-15 16:31 - 2012-08-15 16:40 - 00000000 ____D C:\FRST
2012-08-15 14:31 - 2012-08-15 16:04 - 00000914 ____A C:\Windows\PFRO.log
2012-08-15 14:14 - 2012-08-15 14:14 - 00000000 ____D C:\Users\All Users\ESET
2012-08-15 14:08 - 2012-08-15 14:14 - 00000000 ____D C:\Program Files\ESET
2012-08-15 03:06 - 2012-08-15 16:37 - 00001512 ____A C:\Windows\setupact.log
2012-08-15 03:06 - 2012-08-15 03:06 - 00000000 ____A C:\Windows\setuperr.log
2012-08-14 21:18 - 2012-08-14 21:18 - 00000000 ____D C:\Windows\System32\%APPDATA%
2012-08-09 18:10 - 2012-08-09 18:10 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-07 23:20 ... Read more

9 more replies
Relevance 54.94%

So ever since I upgraded to a GeForce GTX 460, I've been getting these ~1min long freezes every time my PC just finished loading Windows (either after a cold boot or reboot).

What could be causing this?

EDIT: This didn't happen to me with my old Radeon HD 5770.

Answer:Windows freezes for over ~1 minute after each cold boot/reboot

I would suspect a driver issue fist thing. Check here for the July 2010 version: Drivers - Download NVIDIA Drivers

2 more replies
Relevance 54.94%

Hi All,I am having the problem as per the title and cannot seem to remove the sirefef trojan in time before it reboots.I have run a FRST64.exe in system repair and this is the outcome:Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04Ran by SYSTEM at 19-06-2012 21:50:20Running from E:\Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-30] (Intel Corporation)HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint&... Read more

Answer:Win7 Reboot after 1 minute, security centre not working

Good evening. Will you fire up FRST64 again but this time I want you to run a search for a file. Paste the following into the Search: textbox and click the Search File(s) button: services.exeLet me have the log that will be found on the flashdrive, as before.

30 more replies
Relevance 54.94%

came home to see windows telling me it needs to reboot due to a recent update. upon reboot I noticed it was sitting there at the animated windows logo prior to the logon screen. the numlock led on the keyboard was stuck so I reset the computer with no change. I then tried safe mode with also no luck. I reset once more and did some googling for quick solutions and about 5 minutes later the computer goes to the logon screen. this is repeatable. i ran a chkdsk /r /f with no change. im not quite sure what to check from here but something is definitely wrong when I go from a 10 second start time to 5 minutes. any ideas?

Answer:how to troubleshoot 5 minute bootup (prev 10s) after win update reboot

Hello and welcome Kevin mate if you can get safe mode which I am assuming of course do a system restore to as far back as you like and then it is just a matter of installing updates until one finds the offender and then you just hide it so it doesn't bother you again. (Right click on it and pick Hide)

If yo are not offered may restore points click on the box for further back ones see pic but I suspect you know about this option

1 more replies
Relevance 54.94%

Hi, I'm Kattie. My problem is with my Dell netbook (Inspiron Mini 1012 I think) with Windows 7 Starter.

Honestly, I have no idea where to begin. A few months ago, I contracted a pretty terrible virus that pretty much wiped out my netbook and entirely thwarted any of my attempts at fixing it. I don't remember how at this point, but before it became completely inaccessible, I somehow figured out that it was the sirefef virus. I got a mini-scan to bring up sirefef.exe or something similar, I really don't remember at this point. But the symptoms seem to match other reports, so unless I can figure out otherwise, I think it's safe to assume that sirefef was the beginning of the problem.

Now, when this first happened, I found other people's methods for posting logs and getting fixes, and that was my initial plan for repair, but I just generally ended up procrastinating it, and now, I have a completely different problem and have no idea how to even begin to solve it.

I'm really not sure when this happened or if it's even the result of the virus at all (though I assume it is), but my netbook is now stuck in the most irritating reboot loop that I can just not seem to get out of. I'm really not sure what details to mention here, so it'd probably just be better to ask me specific questions, but I'll explain as well as I can for now.

I was having a reboot problem when first infected, but it had a lag of 60-90 seconds, which meant I could ac... Read more

Answer:Continual Reboot After Virus (Possibly Sirefef?)

I'll report this topic to appropriate helpers.
Hold on....

86 more replies
Relevance 54.94%

Hi Everyone

I have a Lenovo Laptop running Windows 7 Pro x64
It is infected with Sirefef
I have used FRST64 to get the txt files
They will be posted below
Please help right the fixlist.txt

Regards
Michael Tiemann
The IT Bunch

Answer:Sirefef Virus Computer Reboot 60 Secs

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 30-07-2012 19:08:08
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-11-17] (Lenovo)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9753024 2011-11-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-11-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [170264 2012-02-14] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [398616 2012-02-14] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [440600 2012-02-14] (Intel Corporation)
HKLM\...\Run: [nseapc] "C:\Windows\System32\rundll32.exe" "C:\Users\Scott.AAS\AppData\Roaming\nseapc.dll",Resize ... Read more

3 more replies
Relevance 54.12%
Question: Sirefef Infection

Hello and thanks for looking at my thread.
I appear to have been infected with the sirefef trojan that has been going around. Microsoft security essentials says that it detects a trojan called Sirefef. The problem is that it is causing my pc to reboot. It gives me a error saying that my machine encountered a critical error and needs to reboot. I have looked into other threads on this board that have had similar issues. I would have simply followed the instructions from that thread but the notice that each script is written for each individual case, is deterring me from trying it.

I would like to get a little bit of assistance on how to proceed.

I am prepared to post any logs upon request. Any help would be greatly appreciated.
Edit: Here are my FRST results.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:38:30
Running from K:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Sy... Read more

Answer:Sirefef Infection

Hello and welcome to Bleeping Computer! I am D-FRED-BROWN and I will be helping you. Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.----------Step 1----------------I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer. Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
Note: Do not choose Cure or Delete unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually ... Read more

3 more replies
Relevance 54.12%
Question: sirefef infection

Hello all, thank you for taking the time to read my post.
My eset antivirus detected a variant of sirefef, so I deleted it. Obviously its not that easy. All of a sudden my antivirus was corrupt and I need to reinstall. Try to reinstall, and for some reason it has been removed completely. I looked for a solution, and yorkyt.exe seemed easy enough for what I needed, so I followed the easy steps. First reboot fine, tells me it found a bad driver and replaced it. Second reboot, I get the blue screen. Now I can't start up normally. I have a yorkyt.exe log on the desktop, telling me it replaced adf.sys and added it to md5s. I don't really know what some of this means, and am hoping someone here can fix what I've done.
Thanks again

Answer:sirefef infection

Hello -That yorkyt.exe file on your desktop belongs to Panda Security and is used to disinfect Trj/Sirefef and Rootkit/ZAccess (if it's the same one). Open it to check.http://www.pandasecurity.com/enterprise/support/card?id=1672&idIdioma=2 Download Screen317Security Check from Here and save it to your Desktop.* Double-click SecurityCheck.exe* Follow the onscreen instructions inside of the black box.* A Notepad document should open automatically called checkup.txt;* Please Copy / Paste the contents of that document back here.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE (or any similar file) access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me. Next: Please download Malwarebytes AntiMalware to desktop.Check for updates if not done during download and run a Quick Scan only.You can check "Remove" for any infections found, and the program may ask you to Reboot if several infections are found.Please Copy / Paste the Report log back here when completed. Next: Please download SUPERAntiSpyware to desktop.Check for latest updates if not done during the download.You can check "Remove" for any infections found, and the program may ask you to Reboot if several infections are found.Run a Quick Scan only and Copy / Paste the Report log back here when finished - Thank You - 

10 more replies
Relevance 54.12%
Question: Sirefef infection

Seems like I had the sirefef, it has completely shut down my mse but I went into safemode and ran combofix and im not getting redirects any more and mse and mbam doesnt find anything. Just want to make sure everything is clean and traces are removed.

ComboFix 12-06-16.01 - Byron 06/16/2012 16:46:03.9.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8175.6431 [GMT -7:00]
Running from: s:\users\Byron\New folder\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83e9d9237b}\@
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83e9d9237b}\L\[email protected]
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83e9d9237b}\L\1afb2d56
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83e9d9237b}\L\201d3dde
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83e9d9237b}\U\[email protected]
c:\windows\Installer\{149159c9-750d-6dca-1786-6a83... Read more

Answer:Sirefef infection

OTL scanOTL logfile created on: 6/16/2012 6:52:43 PM - Run 1OTL by OldTimer - Version 3.2.49.0 Folder = S:\Users\Byron\New folder64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstationInternet Explorer (Version = 9.0.8112.16421)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 7.98 Gb Total Physical Memory | 5.09 Gb Available Physical Memory | 63.70% Memory free14.98 Gb Paging File | 12.03 Gb Available in Paging File | 80.30% Paging File freePaging file location(s): [Binary data over 100 bytes] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)Drive C: | 111.79 Gb Total Space | 21.51 Gb Free Space | 19.25% Space Free | Partition Type: NTFSDrive D: | 500.09 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFSDrive S: | 931.51 Gb Total Space | 557.05 Gb Free Space | 59.80% Space Free | Partition Type: NTFS Computer Name: BYRON-PC | User Name: Byron | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current user | Include 64bit ScansCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/06/16 17:15:01 | 000,595,968 | ---- | M] (OldTimer Tools) -- S:\Users\Byron\New folder\OTL.exePRC - [2012/05/30 21:20:02 | 000,096,144 | ---- | M] (Wondershare) -- C:\Program Files (x86)\Wondershare\Mo... Read more

4 more replies
Relevance 54.12%

Microsoft Security Essentials has identified sirefef on my system, but can't remove it. Malwarebytes can't either, and it's hijacking my browser - and I don't know what else. I won't post any logs here, but can anyone tell me please what I should post so that someone can help me? Or any precautions I should take in the meantime? Running XP SP3, Firefox. Thanks.

Answer:sirefef AC / AH infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

3 more replies
Relevance 54.12%

I have a problem with an employee's computer. I do not know what she was doing or how this happened exactly. I do know that when I was called in to her office she had been deleting junk emails and reading the news on an Indianapolis online newspaper.

The fake security warning was "Security Alert" next line "Windows Explorer"

her computer is/has

Win XP
Malwarebytes(free)
Microsoft Security Essentials.

Actions Taken:
1. ctrl-alt-del to close the message. DID NOT click anywhere on it, but suspect this was not it's first appearance and that it had been clicked on and allowed prior to involving me.
2. MSE castle starts enumerating infections(ended w/6) and turned from green to yellow to red.
3. Chose the option of removing infections and restarted
4. Infections consisted of sirefef/p(4 instances)and patchload.o(two infections)
5. No improvement after restart.
6. Ran malwarebytes with no infection found. MB latest update was early this morning.
7. Checked MSE history and lots of lines with these two, most showing removal, a few disinfections and 2 allowed.
8. Castle turns orange, then red and 2 "potentia" infections

Details:

sirefef.p---c:windows\assembly\GAC_MSIL\desktop.ini
patchload---c:windows\system32\wcauclt.exe

Can you help me?

Answer:sirefef.p infection with Win XP

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 54.12%
Question: Sirefef infection

HelloI've seen many other posts relating to sirefef infection on this thread, but I wanted to make my own thread so I could have someone help me out as it seems many people's situations have been different.I first noticed MSE was not working properly and wouldn't run real-time protection. I ran a scan and it detected many instances of Sirefef, most of which I think were removed on reboot. However, obviously it is still on the computer considering windows firewall and MSE still won't work correctly. MSE no longer detects sirefef any longer. When I tried running malwarebytes, it picked up one instance of it, however, I paused the scan to check to see if it was actually sirefef. It was, so I rebooted, and now Malwarebytes doesn't appear to detect it anymore. I did a full system scan with windows defender which did not detect anything either.Right now, the only symptoms I am having are issues with windows firewall and MSE. I have downloaded several of the tools recommended in the other threads, but I need to know where to start removing this. It looks like I have caught it fairly early, so I'm not completely hosed yet.Normally, I would just format the disc and recover stuff, but I cannot find my windows 7 discs, so I have to do this the hard way. The following is the first log from FSS ran in safe mode. If anybody could help me get rid of this completely, I would greatly appreciate it. I've tried running malwarebytes again, and it appears to b... Read more

Answer:Sirefef infection

Hello and welcome.We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't run (it may not on a 64 bit system) skip it and move on.Also include the logs you posted earlier.Let me know if that went well.

2 more replies
Relevance 54.12%
Question: Sirefef infection

Hello!

Unfortunately I've been hit with this nasty Sirefif virus. Judging by this weeks activity, it seems a lot of users have been hit by this virus. My OS is Windows 7 and continuously reboots itself after every minute with the virus. I have read up some about the virus requiring a few logs from Farbar, ComboFix, and a few others. Here is my Farbar log:

!-------FSRT.exe--------!

can result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 15-08-2012 14:27:55
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [335976 2011-08-03] (NVIDIA Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-12-08] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [25469... Read more

Answer:Sirefef infection

Standing by for a fixit.txt

15 more replies
Relevance 54.12%

Hello -

I've got a sirefef infection. The computer is a pretty new Dell 64-bit Win 7 computer that was using MSE as the AV. MSE finds win64/sirefef.W, sirefef.P, and win32/sirefef.AB. I had to disable MSE because of the 1 minute restart loop sirefef forces. It also randomly sends me to webpages and I can't turn on Windows Firewall. Except for working on this forum to try and fix it I'm keeping the computer off. I followed the instructions in the malware guide, and got logs from DDS. I'm posting the DDS.txt log and attaching the attach.txt log as instructed. Thanks in advance for all help!

- Kirk

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by Kirk Bays at 23:37:10 on 2012-07-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8084.6629 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\s... Read more

Answer:Sirefef infection - please help

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

22 more replies
Relevance 54.12%

Hello there,I went to bed last night, and everything was fine with my computer. I woke up this morning, with a coffee cup I sat in front of my PC and I realized that Microsoft Essential Security software was disabled. I found it very odd. I uninstalled it, and reinstalled the software. I ran a quick scan, and it came up with: Sirefef.W.I instructed my AV to deleted the bugger, and than ran a full scan. Nothing was found. I then rebooted my computer, and my AV found the same Sirefef.W again. I've read on the Internet that this virus/Trojan is hard one to cure. I also found this forums with the search.I would like to thank you guys for having such forums, and looking forward to you guys to help me getting rid of this virus/Trojan as I don't want to reinstall my PC at this time.I have a 64bit system, so I didn't create a GMER log as instructed. My firewall is disabled and is not showing up in the services.msc snap-in. Maybe its the Trojan's work.Thanks in advance.DDS log (I removed my name from the logs and insterted {NAME REMOVED-}):DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29Run by AT at 11:20:20 on 2012-05-29.============== Running Processes ===============..============== Pseudo HJT Report ===============.uWindow Title = Internet Explorer, optimized for Bing and MSNuInternet Settings,ProxyServer = 125.206.230.233:80mWinlogon: Userinit=userinit.exeBHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6... Read more

Answer:Possible Sirefef.W infection

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

3 more replies
Relevance 54.12%
Question: Sirefef infection?

I'm currently running Windows XP SP3

After restarting my computer today, I noticed Microsoft Security Essentials wasn't running (ie, it was in the system tray, but it was red with a cross through it). I wasn't able to start it up, which I found rather suspicious.

So I went to add/remove programs, removed Microsoft Security Essentials (I'll refer to it as MSE from now on), then reinstalled it (from a fresh download). This worked fine. MSE updated itself and ran an automatic quick scan, and detected several instances of Trojan: Win32/Sirefef

Specifically, it listed:
Win32/Sirefef
Win32/Sirefef.P
Win32/Sirefef.AG
Win32/Sirefef.AL

These were quarantined, and I removed them. However, I got an error message during the install of MSE saying that the Windows Firewall could not be initalized. When I tried to initalize it manually (through the control panel) I got the error: "Due to an unidentified problem, Windows cannot display Windows Firewall settings".

I restarted the computer, thinking that this might help. When I opened the history tab in MSE, it showed that it had found and quarantied the same list of four trojans again. Thinking it was time for a full scan, I started running a full MSE system scan, but that seemed to freeze my computer (admittedly, it was still starting up, so that might have been partially to blame) and wasn't progressing. I was unable to open Internet Explorer, though I got Firefox open - at this point I stopped the... Read more

Answer:Sirefef infection?

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

19 more replies
Relevance 54.12%
Question: Sirefef infection

Was sent here by narenxp, after posting this topic.I'm running a WIN7 64-bit OS and did not run GMER.Here is my DDS log:.DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORKInternet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1Run by Malte at 23:15:11 on 2012-07-17Microsoft Windows 7 Ultimate 6.1.7600.0.1252.45.1033.18.6142.5161 [GMT 2:00].AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\Explorer.EXEC:\Windows\system32\ctfmon.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files\Microsoft Security Client\MpCmdRun.exeC:\Windows ... Read more

Answer:Sirefef infection

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

19 more replies
Relevance 54.12%
Question: Sirefef infection

Hey guysI recently found out that I was infected with the Sirefef virus, and after some googling I actually found a thread on this forum where a user was guided to removal of this virus from his PC. I followed these instructions and scanned my pc with all of the listed programs, several times, and removed what seemed to be a lot of infected files. STILL, I get the same message after booting my pc, "Windows has encountered a critical problem and will restart automatically in one minute." So this is the thread where I followed the instructions provided for removal, http://www.bleepingcomputer.com/forums/topic456396.html.Any help would be greatly appreciated.

Answer:Sirefef infection

Boot into safemode with networking and let me know if you have the same error message.

9 more replies
Relevance 54.12%
Question: Sirefef infection

I have rand frst64.exe from syste recovery and here is the log file:

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012
Ran by SYSTEM at 20-07-2012 09:07:17
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1482080 2009-08-11] (TO... Read more

Answer:Sirefef infection

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
HKLM\...\Run: [] [x]
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
cmd: del /a/f/q c:\windows\tasks\at*.job
endNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating systemNow please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.Reboot Normally.NEXTRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise in... Read more

2 more replies
Relevance 54.12%

Hi, ESET says I have a Sirefef.DN problem and I was hoping to get some help. I've been getting alot of redirects when I click on google links.

Thanks in advance!

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Lap at 6:06:06 on 2012-03-23
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8170.6850 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bigfoot Networks... Read more

Answer:Sirefef.DN Infection

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us1.Do not run any other tool untill instructed to do so!doing so will only at best cause you unneeded worry as it finds our backups and may even list our toolsand at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback It does not need to be long but just something so I know how things are going it can be something likeI am still getting redirected The computer is running as it shouldDon't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anythingPay special attention to the Notes** I have put inThese are things I have found that happen allot and can be taken care of easily just by reading the Notes**Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Ba... Read more

24 more replies
Relevance 54.12%
Question: Sirefef infection?

Hi

MSE (which I had to reinstall to get to work) keeps finding three Sirefef problems (every three mins or so):

these are
Trojan: win32/Sirefef
Trojan: win32/Sirefef.AG
Trojan: win32/Sirefef.AL

My Windows security centre or Windows Firewall will not start up.
Have done -

Have downloaded and run:

TDSSkiller

GMER

aswMBR

Results are shown belowGMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-09 13:10:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c MAXTOR_STM3250820A rev.3.AAE
Running: mjq27417[1].exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwtcqpoc.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAC0282F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAC0225CA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAC04158A]
SSDT \SystemRoot\System32\vsdata... Read more

Answer:Sirefef infection?

08:43:17.0703 3352 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
08:43:19.0703 3352 ============================================================
08:43:19.0703 3352 Current date / time: 2012/06/09 08:43:19.0703
08:43:19.0703 3352 SystemInfo:
08:43:19.0703 3352
08:43:19.0703 3352 OS Version: 5.1.2600 ServicePack: 3.0
08:43:19.0703 3352 Product type: Workstation
08:43:19.0703 3352 ComputerName: AAABBBCCC
08:43:19.0703 3352 UserName: user
08:43:19.0703 3352 Windows directory: C:\WINDOWS
08:43:19.0703 3352 System windows directory: C:\WINDOWS
08:43:19.0703 3352 Processor architecture: Intel x86
08:43:19.0703 3352 Number of processors: 2
08:43:19.0703 3352 Page size: 0x1000
08:43:19.0703 3352 Boot type: Normal boot
08:43:19.0703 3352 ============================================================
08:43:21.0984 3352 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
08:43:21.0984 3352 ============================================================
08:43:21.0984 3352 \Device\Harddisk0\DR0:
08:43:21.0984 3352 MBR partitions:
08:43:21.0984 3352 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
08:43:21.0984 3352 ============================================================
08:43:22.0000 3352 C: <-> \Device\Harddisk0\DR0\Partition0
... Read more

2 more replies
Relevance 54.12%

Hello, I have a trojan horse that has galloped it's way onto my PC. I have ran AVG Anti-virus and Malware. Malware comes up with nothing, but the AVG program pops up occastionally asking me to remove this virus. Attached are all of the files from the diagnostic tools.

DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Eric at 15:19:16 on 2012-02-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.785 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Dantz\... Read more

Answer:Sirefef.ER infection?

Hello FlyFishNC, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
We need to get a little additional information.1.Please download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itClick the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.2.Please download ListpartsPlease download Listparts64Run the tool, click Scan and post th... Read more

7 more replies
Relevance 54.12%

Dear Experts,

I am on a x64 Windows 7 machine. I have a serious infection of Sirefef-OH RTK. consrv.dll keeps popping up in the registry and Windows\System32. Also Windows\Assembly\GAC_32\Desktop.ini and Windows\Assembly\GAC_64 keep getting infected. Also Windows\Assembly\Temp has bad files. The dropper is in one of the Network services.
Thanks for any help you can provide.

Pasted dds log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 15:13:15 on 2012-03-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.36.1033.18.16297.13181 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
... Read more

Answer:Sirefef RTK infection

Dear Experts,

I reinstalled, please close the thread, thank you for your time.

Best regards,
Blade80holo

2 more replies
Relevance 54.12%
Question: Sirefef infection

So my computer's infected with Sirefef, whatever that is, as Microsoft Security Essentials is finding many instances of it in the recycle bin.

Windows Defender is also not capable of starting, now. Immediately before this, it was working fine, and actually alerted me to a virus's presence (couldn't read the name, because as soon as I opened the window, and saw there was something WD was calling a threat, it closed spontaneously), and when I try to open Windows Defender via the control panel, the window will open, but if I click start now, I get an error saying it doesn't seem to be installed.

I have no idea how I got this virus, seeing as I just recently reinstalled windows (formatted using the windows disc, suppose that didn't do the job then, if I'd had the virus beforehand?), but I'm hoping someone here can give me a hand with removing it without having to reformat and reinstall windows AGAIN.

Answer:Sirefef infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

9 more replies
Relevance 54.12%

Hello, Today my computer got Sirefef.AH in its system. Yes, That Sirefef.AH. The one that mutates by the second and causes you to pull your hair out. I've been all over the net, looking for answers, but have found none. Can anyone assist me? Thanks

Answer:Sirefef.AH Infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

1 more replies
Relevance 54.12%

Seems ive been infected by "Sirefef". MSE detects and attempts to remove it which seems to have triggered constant reboots.

Any and all help is greatly appreciated. Thanks!
 

Answer:Sirefef infection. Help Please

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user... Read more

3 more replies
Relevance 54.12%
Question: Sirefef Infection

Computer started getting Security Shield popups and Microsoft Security Essentials was disabled and wouldn't start back up. Ran Malwarebytes and it removed Sirefef infection. Now the system starts up and immediately MSE finds infections and wants to reboot to finish removing. Then a popup box says "Windows has experienced a critical error and will reboot in one minute. Please save your work."

I ran DDR.scr in safe mode since I was unable to run it when booting normally before the system reboots.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Andy at 10:38:45 on 2012-07-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6092.4718 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\... Read more

Answer:Sirefef Infection

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

10 more replies
Relevance 54.12%
Question: sirefef infection

Hello all, I have a sirefef virus and I guess the quickest way to sum it up is in this post :
http://www.bleepingcomputer.com/forums/t/496853/sirefef-infection/#entry3069673
I ran dds last night. At around the 20 minute mark it hadn't finished, or moved for that matter, in 19 minutes. I cancelled it and went to bed. I'm now running it before I go to work, and will post the log when I get home. Hopefully.

Answer:sirefef infection

No luck. Before I left this morning, the scan jumped to over three quarters finished. It is in the same spot now, over 11 hours later.

17 more replies
Relevance 54.12%
Question: Sirefef Infection

Hello,

I was using my computer (Dell Studio, running 64 bit Windows 7 Home Premium), when Microsoft Security Essentials detected a few variants of the Sirefef trojan and one Necurs A Trojan. MSE wasn't offering real time protection then, but I reinstalled it and it is now. This caused my computer to shut down and I was stuck in the startup recovery loop. I managed to boot up Windows using System Recovery ad ran TDSSKiller, MABM and MSE, and apparently managed to remove some of the Sirefef trojans. I was able to boot normally after this. However, when MSE detected another Sirefef trojan, I decided to post to see if I could completely remove it from my system. My Windows Firewall is not working as well.

Also, it says my Windows is in Test Mode.
The DDS.txt log is below, thanks for the help in advance/

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Varun at 16:53:55 on 2012-07-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.91.1033.18.4061.2172 [GMT 5.5:30]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe... Read more

Answer:Sirefef Infection

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

15 more replies
Relevance 54.12%

Microsoft Security Essentials detected Sirefef.AB, M, and W trojans before I had to uninstall it. (If running, I would get a "Windows has encountered a critical error and will automatically close in one minute" message within a few minutes of starting the computer.) Windows Firewall has also been turned off and I can't turn it back on.

The following is my DDS log. Thank you in advance for any help.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by Admin at 21:42:20 on 2012-08-03
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.33.1033.18.3894.2615 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C: ... Read more

Answer:Sirefef.AB, M and W Infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

25 more replies
Relevance 54.12%
Question: Sirefef Infection

Here's the log, what do I do next?

Scan result of Farbar Recovery Scan Tool Version: 04-07-2012 01
Ran by SYSTEM at 05-07-2012 19:19:25
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [168216 2011-04-19] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392472 2011-04-19] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [416024 2011-04-19] (Intel Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-09-15] (Intel® Corporation)
HKLM\...\Run: ... Read more

Answer:Sirefef Infection

Hello Dovahkiin, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
HKLM-x32\...\Run: [] [x]
NOTICE: This script was written specifically for ... Read more

9 more replies
Relevance 54.12%
Question: Sirefef infection

As per request, here is my post as directed by step #9.I am running 64bit so there is no GMER scan/log.Here is the DDS logs
Spoiler
.DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORKInternet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31Run by Marshall at 21:19:56 on 2012-09-30Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6111.4484 [GMT -4:00].AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\SUPERAntiSpyware\SASCORE64.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ctfmon.exeF:\aswMBR.exeC:\Program Files (x86)\Mozilla Firefox\... Read more

Answer:Sirefef infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

32 more replies
Relevance 54.12%

I ran the Microsoft Safety Scanner, and it says that I'm infected with Sirefef.R. As soon as it tries to fix the problem, it says "Windows has encountered a critical problem and will restart in one minute", which it does. The first thing that alerted me that I had a problem was that I had the "Security Shield" malware pop up and websites were being redirected. I ran Malwarebytes to remove "Security Shied", but when I restarted and rescanned it was still showing infections. After that, I downloaded and ran Microsoft Safety Scanner. It is still showing that I'm infected with Sirefef.R, and websites are still being redirected.

Thanks in advance for any help. It's greatly appreciated.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Tama at 21:54:29 on 2012-07-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1790.686 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPC... Read more

Answer:Sirefef.R infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

20 more replies
Relevance 54.12%
Question: Sirefef infection

I'm having the same rebooting issues that other victims of Sirefef are having. I'm running Vista 32 bit.

I checked other threads and all of them mention system recovery options I don't seem to have that option in advanced boot menu.
 

Answer:Sirefef infection

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user... Read more

1 more replies
Relevance 54.12%
Question: Sirefef infection

I'm dealing with a Sirefef infection (according to NOD32) on a netbook with no CD drive. Here are the applicable logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Kate at 15:35:19 on 2012-07-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2039.828 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\AsusService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WL... Read more

Answer:Sirefef infection

Hi,

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and... Read more

10 more replies
Relevance 54.12%

Good day all,

My computer is infected with the sirefef trojan malware!! It keeps on rebooting... Please help!

The frst.txt and search.txt files are attached

Please please please help me asap!!

Thanks in advance! :wave
 

Answer:Sirefef infection... HELP!!

Welcome to Major Geeks!

Download this >>

View attachment fixlist.txt




Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and tell me how things are working now!
 

1 more replies
Relevance 54.12%

Every time I shut down and restart my machine, the screen saver settings resort to the original 1-minute one and goes back to it every time after I've set it to 5-minutes, apply, hit OK and then get out. What gives?

More replies
Relevance 54.12%

I set my screen saver to 5 minutes. Hit apply, and OK. The settings take hold, but then when I reboot or shut down the machine and turn it back on, it resets to the original 1-minute mode. What gives?

More replies
Relevance 54.12%

The screen saver 5 minute setting reverts back to the original 1-minute setting every time the computer is shut down and restarted. What gives?

More replies
Relevance 53.71%

I cant reboot my computer without my computer getting to the windows screen and then restarting and going to system restore. I have down MalwareBytes scans and Microsoft Essential Security scans that came up with some trojans. Was told that it was removed but it still happens.

Answer:Everytime I reboot,It doesnt work. Last check sirefef trojan.

Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.OTL should now start. Change the following settings
Change Drivers to AllChange Standard Registry to AllUnder File Scans, change File age to 30Under the Custom Scan box paste this in
netsvcs
set /c
/md5start
consrv.dll
UXTHEME.DLL
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
Userinit.exe
Explorer.exe
Winlogon.exe
Regedit.exe
SCLWAPI.dll
/md5stop
%SYSTEMDRIVE%\*.*
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job
%systemroot%\assembly\tmp\U\*.* /s

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

24 more replies
Relevance 53.71%

I started having a problem with one of my computers this morning.
What looked like the Adobe Updater came up already downloading, and now the computer restarts by itself after about 2 minutes.
Security Essentials says it's Win64\sirefef.P, but the computer restarts before I can do anything, or before any programs can get rid of it.

I've ran the recommended programs, but the computer restarts before most of them can finish.

Here are the files from the programs that have finished or nearly finished.

Thanks in advance for any help.
 

Answer:Malware causing system to reboot? Possibly Win64\sirefef.P

Found out how to properly run FRST64, the correct log is attached.
 

2 more replies
Relevance 53.71%

Hey guys, I got this virus somehow. rarely happens. I tried running combofix and it says "the subsytem needed to support the image type is not present." I have tried everything I can. I am attaching the FRST logs. I would GREATLY appreciate some help on this. I cant get it to stop rebooting. Ive done alot of stuff with F8. tried recovery cd's I made specifically for this kind of thing and those dont even work. FAIL on MS part. so I have to rely on other sources. and you guys have never failed. me. Again my up most gratitude if you would look into these logs and see if something can be fixed.

Thank you so much.
Regards Dean.

Typing on a laptop. not easy.
 

Answer:Virus:win64/sirefef.B + Firewall Disabled + Constant Reboot. Cannot fix.

I think I fixed it I really have no idea how. but its not rebooting anymore. My firewall is back. I ran combofix after the PC would stay on. Running MS Safety scanner which found the virus's in the 1st place. I am just happy I can back up files at least. A combo of this site and others helped me. I wish I had more info for others. persistance on trying different stuff.

I hope this thread can be closed. Waiting for final scan.

fixed
 

2 more replies
Relevance 53.71%

Hi,

I was hit by Live Security Platinum. I managed to uninstall it manually, but then my PC started rebooting after one minute. I solved that with Windows Defender Offline, and cleaned up Sirefef with Malwarebytes. Malwarebytes and MSE says that I'm clean, but I cannot start Windows Firewall or Windows Updates.

I got various error messages when trying to start WF, so I installed ZoneAlarm's firewall. WF is listed in Services, but when I try to start it, it says Windows could not start the Windows Firewall on Local Computer.(Edit: I followed the suggestions from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/5366225a-46e7-4d6c-a389-8bd18a5c3aad and it works now!)

When I try to run Windows Update it says that Windows could not search for new updates with a 80244018 error. But when I try to search from Microsoft Updates it finds 18 updates. However, when I try to install them, they all fail and it says Some updates were not installed with a 80246008 error. (Edit: I stopped the service and renamed Windows\SoftwareDistribution. I am now able to update from MS Updates, but not from sys admin.)

I'm running Win7-64. I'm in the process of moving, so I don't have my Win7 DVD, but I have the files on my backup drive, so maybe I can make a bootable DVD or USB.

I delete old restore points with CCcleaner, but always keep one. But now I don't see any, so maybe Sirefef delete that one, too?

Here is DDS.txt. I wasn't abl... Read more

Answer:Cleaned Sirefef and auto reboot, but can't start firewall and updates

Hi,

I've managed to sort out most of my problems. The remaining Windows Updates problem was actually caused by some old registry entries from when I once joined a domain.

But when I had solved that, I realized that I couldn't start the Security Center from the Action Center. But http://windowsxp.mvps.org/helpsvcfix.htm fixed that.

So now everything SEEMS to work and be clean, but I would be grateful if you could please take a quick look at the log file to see if there's anything.that looks like a leftover from the Trojan.

Thanks!

3 more replies
Relevance 53.71%

Hi,
 
I'm running 64bit Win7.
 
Yesterday I had a notification about Microsoft Security Essentials, my Firewall and a device driver.
This evening, I've attempted to troubleshoot it to no avail, and after some internet reading, I believe I've contracted Sirefef
I cannot run Microsoft Security Essentials, nor can I uninstall or download pretty much any other AV program. The download box informs me the file is a virus and has been deleted. Malwarebytes ran, found a trojan but it kinda glitched and I'm not sure if it removed it or not.
Other than disabling my security, I haven't noticed anything else.
 
Your help would be much appreciated.
 
 

Answer:Suspected Sirefef Infection

Hi, Lets see what we can find out. Please Download Rkill    Double-click on the Rkill desktop icon to run the tool.    If using Vista or Win. 7, right-click on it and Run as administrator.    A black DOS box will show and then disappear (wait for it to go away).  This is normal and indicates the tool ran successfully.    If not, delete the file, then download and use the one provided in Link 2.    If the tool does not run, please let me know.  Or if it seems to have taken too long.Do not reboot the computer until you have run the applications listed below, otherwise you will have to run Rkill again.Post the log that Rkill makes, on your desktop, in your next post.  Along with the Rkill log please also rerun Malwarebytes (aka MBAM) after Rkill and post both the "current" log and the previous MBAM log as well. If you do have sirefef (aka ZeroAccess) you will need elevated help.

12 more replies
Relevance 53.71%

 Attach.txt   7.49KB
  1 downloads

I have Win7 64. I had MSE running, now have Prevx3. PC was rebooting, unable to start Windows. I have to go back to a restore point if I want to use the machine. I've run ESET and MBAM and maybe some others but cleaning the infection puts the machine back in the same symptom. I've noticed now that Windows Firewall service is missing too. From the scans I've run I've managed to see at least the sirefef.g as one culprit although there may be others. Help!

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Dad at 18:25:33 on 2012-03-19
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2048.896 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemN... Read more

Answer:Sirefef.G infection consrv.dll

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us1.Do not run any other tool untill instructed to do so!doing so will only at best cause you unneeded worry as it finds our backups and may even list our toolsand at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback It does not need to be long but just something so I know how things are going it can be something likeI am still getting redirected The computer is running as it shouldDon't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anythingPay special attention to the Notes** I have put inThese are things I have found that happen allot and can be taken care of easily just by reading the Notes**Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Pl... Read more

21 more replies
Relevance 53.71%

I think I'm going to need some help cleaning up my PC. I know you guys are good and I've read a previous thread about this same issue. (http://www.bleepingcomputer.com/forums/topic456952.html) I followed the steps in the second post, and ran all 4 applications. At first, Windows kept encountering a critical error and was in a restarting loop. I would turn it on, get that error, and it would restart. It finally stopped and I downloaded and ran those programs. I had 4 or 5 trojan sirefefs still quarantined afterwards, and finally decided to remove them all again. I held off because I was afraid of the restart loop, but so for so good. I'm now running a MSE full scan. Any help would be appreciated. Thank you. Oh, and I can't turn on my Windows firewall still.... Also...virus and spyware update failed for MSE

Answer:Trojan sirefef infection...

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

12 more replies
Relevance 53.71%

Hi. I'm operating on Windows 7, 64 bit and am infected with the Luhe.Sirefef.A Virus, from what AVG tells me from a recent computer scan. The scan also showed about 300 other potentially dangerous threats. I addressed the threats and healed & removed all but 2. Here's the two threats, copied from AVG:
"";"C:\Users\OWNER\AppData\Local\Google\Chrome\Application\chrome.exe (1692):\memory_02e10000";"Found Luhe.Sirefef.A";"Object is inaccessible."
"";"C:\Users\OWNER\AppData\Local\Google\Chrome\Application\chrome.exe (1692)";"Found Luhe.Sirefef.A";""
I've recently just used Malwarebytes to run a full scan of my computer and remove the Sirefef virus but I'm not sure if there are any damage to files or any malicuous viruses hidden or remaining on my computer. My friends told me that I should wipe-out everything, but I would like to see if there was an alternative to that. I stumbled across this site (nice site btw) and saw the excellent helping service so thought I'd register and ask. Before the Malwarebytes scan and cleanup, AVG would show warnings about trojans which I couldn't move to the vault for some reason. But ever since the Malwarebytes cleanup I haven't had any pop-ups or problems from AVG about any viruses being detected.But I still want to make sure that there isn't anything... Read more

Answer:Luhe.Sirefef.A Infection

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

7 more replies