Computer Support Forum

win32/sirefef.ah trojan (causes one minute reboot)

Question: win32/sirefef.ah trojan (causes one minute reboot)

Hello,

I have a Windows 7 Home Premium 64-bit laptop which is infected with the Win32/sirefef.ah trojan. As soon as the Microsoft Security Essentials launces it causes the system to give this error: WINDOWS HAS ENCOUNTERED A CRITICAL PROBLEM AND WILL RESTART AUTOMATICALLY IN ONE MINUTE and then reboots. This happens a regular boot and in safe mode. MSE cannot be uninstalled either. I've read other threads and would like to know when program needs to be run first so i may supply the log files. Your help is apprecaited.

thank you,
-kA

Relevance 100%
Preferred Solution: win32/sirefef.ah trojan (causes one minute reboot)

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: win32/sirefef.ah trojan (causes one minute reboot)

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to the disclaimer.[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there[*]Press Scan button.[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:services.exe[*]now press the search button[*]when the search is complete, search.txt will also be written to your USB[*]type exit and reboot the computer normally[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

4 more replies
Relevance 88.97%

Hi! Had good results with this forum; back again!Working on my nephew's computer, I noticed Google searches were being redirected. Microsoft didn't catch the initial problem so I ran Malwarebytes and Eset Online scanner which found and clean some problems. Rebooted. Microsoft Security Essentials found Sirefef trojan, cleaned and rebooted. Now every I boot the computer it says it will "restart automatically in one minute" (both safe and normal mode)OS is VistaAV is MSEAdvanced Boot options does NOT give me "Repair you computer" optionI do not have the Windows installation disk, although it might be possible to find with a lot of hunting.Please help!(As an aside, the reason I went to my nephew's computer was to check on the router... On my laptop my Symantec Endpoint Protection was giving me popups that it a "port scan attack is logged" coming from the router. Since it was being blocked I figured I would use the other computer to view router's admin page.)

Answer:Sirefef (one minute reboot)

Update:
I booted to safe mode and brought up the task manager with a CTRL-ALT-DEL at the first opportunity. I used the processes tab to locate the MSI process and ended it. This allowed me to run DDS and GMER to get the following logs.

Awaiting help,
Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by COREY at 20:04:59 on 2012-08-12
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2047.1652 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.... Read more

33 more replies
Relevance 88.15%

Got another one for you... Can't stay logged into windows because of a critical error, and rebooting 1 minute later.Here is my frst.txt content...Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01Ran by SYSTEM at 27-07-2012 20:21:28Running from I:\Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001========================== Registry (Whitelisted) =============HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16333856 2009-07-14] (NVIDIA Corporation)HKLM\...\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui [190472 2009-09-16] (Logitech Inc.)HKLM\...\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKAiO2MUI.exe [3240448 2011-12-10] (Eastman Kodak Company)HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)HKLM-x32\...\Run: [ABNotify] C:\Program Fi... Read more

Answer:Another Sirefef Infection/1 minute reboot

Please do the following:Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt start
1 evrhwdch; \??\C:\Windows\system32\drivers\evrhwdch.sys [x]
2012-07-27 17:17 - 2012-07-27 17:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2243DA0DB5B173E7
2012-07-27 17:17 - 2012-07-27 17:17 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\wwogfass.sys
2012-07-27 15:35 - 2012-07-27 15:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2BADF4F3E3ADF4FB
2012-07-27 15:20 - 2012-07-27 15:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3BADF02DBC08DE8D
2012-07-23 11:00 - 2012-07-23 11:00 - 00311296 ____A C:\Users\Courtney_2\AppData\Local\plogolc.exe
C:\Windows\Installer\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
C:\Users\Courtney_2\AppData\Local\{4935c656-a5da-c5b8-8fc3-b9e67597a38b}
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
... Read more

13 more replies
Relevance 88.15%

I am having the same trouble as many others. Can't do anything cause computer restarts every minute. Here are my FRST logs. Thank you in advance for the help.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 13:18:19
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-09-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [174104 2009-09-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [151064 2009-09-08] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-16] (Realtek Semiconductor)
HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...&#... Read more

Answer:Sirefef Infection/1 minute reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

5 more replies
Relevance 83.64%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 82.41%

Good day Sir

I am currently using AVG anti-virus. I discovered yesterday that my pc was infected with the above when a pop up appeared from AVG Resident Shield Alert.
Filename : c:\WINDOWS\System32\services.exe
Threat warning: Trojan horse patched_c.LZI detected when open

I searched online & followed to thsi forum. I ran esetscan & found this:
C:\Downloads\Software\apex-video-converter-free.exe multiple threats
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Agent.BA trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Sirefef.AE trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] a variant of Win32/Sirefef.FD trojan
Operating memory a variant of Win32/Sirefef.EZ trojan
I would appreciatte whatever help in overcoming this threat.

Thank you & looking forward to your advice.
D

Answer:Win64/Agent.BA trojan, Win32/Sirefef.FD trojan & Sirefef.AE trojan

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

21 more replies
Relevance 82%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 82%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 79.95%

Hi,
 
I tried the search but couldn’t find any threads about Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN. I apologise in advance if this is not the place to post this.
 
I’m running an old Hp Pavilion using Windows XP. Yesterday my computer was attacked by a virus that disabled Microsoft Security Essentials, breaking the desktop shortcut and making it unusable. I found that using a trial version of hitmanPro that the virus disables and redirects Microsoft Security Essentials’s files. However because the trial period was over I was unable to repair it.  I performed a system restore in safe mode. The restore “failed” but it partially “fixed” Microsoft Security Essentials. Immediately after, I ran a quick scan using Malwarebytes in safe mode with networking. It found a vendor called Rootkit.0Access that it was unable to remove, even after a few repeated quick scans. I downloaded and attempted to use the the Malwarebytes Anti-Rootkit tool but was unable to get it to work. I then searched the internet about the file and found that TDSS Killer could help. After running TDSS Killer and restarting in normal mode it managed to fix the issue and Microsoft Security Essentials notified that the computer was infected and gave the option to clean. After cleaning it gave the option to restart the computer. After restarting it found and two files called Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN under the "All detecte... Read more

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN files

Hello moe, please run these next. Try all from Normal mode unless you cannot run them, then use safe mode with networking.Please download Rkill by Grinler and save it to your desktop.Link 1Link 2Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know....Run TDSS againDownload TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....Last run ESET.Hold down Control and click o... Read more

4 more replies
Relevance 79.95%

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSp... Read more

Answer:Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

4 more replies
Relevance 79.95%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 79.13%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 78.72%

Hi there i kept getting a virus that AVG couldn't remove, which AVG wouldn't stop popping up about, so i tried a different anti virus software MSE, which seemed to have i would believe half fixed the problem as symptoms from the virus before like redirected webpages etc MSE managed to stop however MSE is having trouble dealing with Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK, now i saw a topic posted about the win32 1 which suggested to using combofix, which this site stats do not use unless asked too, so i wanted to do things by the book (or you guys about the problem) i have used combofix before on the same machine to remove another virus before a while ago (maybe a year ago?). a Step by step method of removing the virus' and what the virus' actually do so i know how bad it is for future reference. Thank you.Using an AZUS ROG laptop with windows 7.Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Answer:Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 78.72%

Hello everyone, sry if i make another post about this virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!
 

2 more replies
Relevance 78.72%

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Also this:
 

20 more replies
Relevance 78.72%

Hi, I'm from Portugal and I'm getting frustrated because I can't remove this virus.

Microsoft Security Essentials is finding 2 files I can't remove when I reboot the computer. When I reboot, MSE continues to find those files.

I'm running Windows 7 Home Premium Edition 64 bit service pack 1.

Please help me!

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P

Help me, please. I don't know what to do.

60 more replies
Relevance 78.72%

Hello everyone, sry if i make another post about this facking virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this facking bleep, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!

4 more replies
Relevance 78.72%

Hi guys,

I'm running Windows 7 64bit OS. I recently found that Microsoft Security Essentials wasn't running and I had to reinstall it. Once I did it found these trojans.
I did a bit of research and read some other posts but it looks like there is a detailed and unique fix for each person.

I think I have done everything in the READ AND RUN ME thread, and I hope I have attached all the correct logs as requested.

The only problems I had were with MGTools. I got the following errors:
"The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"
and
"Application has generated an exception that could not be handled.

Process id=0xac8 (2760), Thread id=0xce4 (3300)"

Thanks for your time.

Cheers
 

Answer:Trojan: Win32/Sirefef.AB and Trojan: Win64/Sirefef.P

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-360523327-522932163-1323501305-1000\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : ... Read more

11 more replies
Relevance 78.31%

This is my first post. Thanks in advance for any help you can provide!

The Microsoft Security Essentials icon in the tray turned red, as if the service was turned off. I was having trouble getting it turned back on, so I went to the control panel and uninstalled the service. I downloaded a new copy from the Microsoft website and reinstalled.

Soon after installing, I got a message saying that threats had been cleaned off the computer and then another saying that 2 threats had been quarantined. The threats quarantined were:

Virus:win32/sirefef.R and Trojan:win32/sirefef.AH

As this threat message pops up, I then get a window open telling me that Windows has encountered a critical error and will shut down in one minute.

It restarts, stays on for about 90 seconds, but then shutdowns again with the same message about detecting sirefef.R and .AH

Here are the logs:

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 11-08-2012 01:07:48
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 64bit

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

16 more replies
Relevance 78.31%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm. Please ins... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

3 more replies
Relevance 78.31%

Dear all,I'm a new member from a very far away location of yours, and this is my first post. I'm not native English speaker so please forgive me if I use incorrect wordings. I must say that I'm illiterate in computer language, but I'm patient and ready do whatever I've been told to keep my pc 'healthy'. Yesterday my desktop in office was infected by Live Security Platinum (LSP). I was astonished when the rogue said that my pc got 38 virus/malicious programs, I should take action immediately, pay money to get license, blah blah blah... Called my friend seeking for advice but only got answer that I had no choice but to call a computer service company to help me. Ahhh, I was so pissed off & concerned to the worst situation may happen. I went on Microsoft Support Center site for advice & very happeningly found BleepingComputer site, I did all the instructing steps to Remove Live Security Platinum (Uninstall Guide) & it worked. No more thread from LSP, but then my Window Security Essential (WSE) couldn't run, its icon in red.This morning, I had to remove & re-install the WSE. After installing, I ran WSE and then I got 2 message, 1 from WSE and 1 from Notification. The messages are the same content like jtsm in Sirefef virus/trojan - Laptop restarting - Vista 32 bit topic. Right now my desktop is infected by Sirefef Trojan/virus. Please help me get rid of this virus. I don't know how to get & copy the log like jtsm did. Please... Read more

Answer:Sirefef virus/trojan - my PC keep restarting every minute - Win Home Basic 7 - 32Bit

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter Note: Replace letter e with... Read more

13 more replies
Relevance 77.08%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 77.08%

Hello Bleeping!
A few days ago I removed Norton AV and installed MSSE. MSSE detected Trojan Dropper: Win32/Sirefef.B and Rogue:Win32/FakeRean. For the past two full system scans MSSE has detected and removed the dropper, and the last scan (last night) detected the Fake Rean. The MSSE removals don't appear to be effective against the dropper. Another peculiar thing, when I installed MSSE a few days ago, it told me my firewall was not up, but when I go into MS Security Center it says that the firewall is "ON". Not sure if perhaps the Norton AV removal maybe wasn't complete and that I am getting "false positives", or if something is really there. My logs are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by Eric at 16:37:09 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2216 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\syste... Read more

Answer:Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

18 more replies
Relevance 75.85%

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

Answer:Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

22 more replies
Relevance 74.62%

Hi... I'm having a terrible time with my desktop computer. MSE detected a trojan sirefef.P virus 3 days ago. After that detection, when I did a Yahoo search, I was being redirected to random ad sites (finesearchsystem dot com, star dot feedsmixer dot org, etc....) I have run MSE, Spybot S&D, Malwarebytes, Kaspersky, and Security Task Manager. All have found some sort of malware, but the sirefef keeps popping back up. In addition, I am unable to turn on my windows firewall as there is an error code 0x80070424. The thing that concerns me the most is that MSE in its history log shows that it allowed the sirefef.P and zbot which means they made all kinds of settings changes and are probably embedded deep in my computer. What steps can I take to remedy this? I have been on another forum, but have not been able to open a topic. I found some instruction on some things I could run to get diagnostic info, but haven't been able to post it. Thanks

Answer:trojan win32/sirefef.P and PWS Win32/zbot

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

3 more replies
Relevance 73.8%

Please help!  I felt compelled to be a “good Samaritan” today, and advise a well-known UK Political Party that all the roadside advertising boards they had put up over the weekend in my village had been stolen during the night! Therefore with good intentions, I visited their website and on clicking to get their local contact details received an alert from Trend Micro that it had detected and quarantined the MAL_Xin12 virus
 
At the time I was remotely linked by my laptop (HP ProBook) to my desktop (Dell Vostro 460) as I’m not well so was working from my bed. An Adobe PDF exe then launched and knowing not to allow it to run I tried to shut this down using the X, but it simply wouldn’t work and just kept popping back up. So, i hauled myself out of bed and went to the Vostro and disconnected the remote link. I stopped the PDF process from Task Manager and shut the whole computer down then rebooted. On restarting my sound card was knocked out and then Windows Defender reported that it had detected and quarantined WIN32/Sirefef. There was no other suffix, just that.  I immediately telephoned the Political Party to advise them that their website was infecting their visitors and whilst doing this, Defender automatically removed the Sirefef. I then started scanning with SuperAntiSpyware and MBAM (which I use regularly) and googled both viruses as I was not familiar with either. I was horrified with what I learned.
 
SAS found nothing... Read more

Answer:MAL_Xin12, Win32/Sirefef, Trojan.0Access & Trojan.FakeMS

Hello WSKI would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this... Read more

30 more replies
Relevance 73.8%

Yesterday I ran Malwarebytes anti-malware and Microsoft Security essentials on my netbook(an eMachines eM25 Intel(R) Atom(TM) Cpu @1.6GHz, 32bit windows 7 starter).

While running MSE my computer slowed and a pop up appeared titled "You are about to be logged off" stating "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work". My computer then restarted. It is stuck in this loop of restarting now and is only on for about 2 minutes each time. While it was on i hurried up and wrote down what problems malwarebytes and MSE found.

Malwarebytes
Rootkit.0access C:\\Windows\Installer\{1aeff516-31d-268-a0c7-502804609106}\n\U\[email protected]

Trojan.Zaccess HKCU\Software\Classes\CLSID\{42AEDC87-2188-441FD-B9A3-0C966FEABEC1}\INRROCSERV32

Microsoft Security Essentials
Trojan Win32\sirefef with multiple different ending like .R and .H

Any information would be extremely helpful.
 

Answer:Rootkit.0access, Trojan.zaccess, Trojan win32/sirefef

Please follow these instructions:

READ & RUN ME FIRST. Malware Removal Guide

If you can't stay booted up for any length of time, try working in safe mode.
 

14 more replies
Relevance 73.39%

Problem started as Live Platinum fake anti-virus. I thought I successfully removed this with MBAM, etc. But shortly thereafter MSE alerted that it detected Sirefef.R & Sirefef.AH. Now everytime I reboot I get a message the Windows has encountered a critical problem and the computer shuts down after 1 minute. I followed the steps on the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, but I am not able to run DDS or GMER scans because the system reboots before they finish. I am stuck!
OS is Windows 7, 32-bit.
Thanks in advance.

Answer:Sirefef.R, Sirefef.AH, computer shuts down after 1 minute

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

23 more replies
Relevance 73.39%

OS - Windows 7 32-bitI have obtained the Sirefef trojan on my laptop and would like assistance in getting rid of it.My situation is very similar to the one found in this topic.I am afraid to use the Internet on my infected laptop, so I hope to use a USB flash drive to solve the problem (as in the above topic).Let's tackle this problem together! You guys are great at what you do, and I admire your expertise. I'm ready to follow your lead!Thanks,Stratego

Answer:Sirefef Trojan ||| Reboot Loop

I do not have access to the System Recovery Options because I have misplaced my Windows 7 installation disc.

However, I still managed to use Farbar Recovery Scan Tool, although it was not in a recovery environment.
I think I should be okay.

The following is my FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by Zack at 15-08-2012 16:40:14
Running from F:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.
============ One Month Created Files and Folders ==============

2012-08-15 16:31 - 2012-08-15 16:40 - 00000000 ____D C:\FRST
2012-08-15 14:31 - 2012-08-15 16:04 - 00000914 ____A C:\Windows\PFRO.log
2012-08-15 14:14 - 2012-08-15 14:14 - 00000000 ____D C:\Users\All Users\ESET
2012-08-15 14:08 - 2012-08-15 14:14 - 00000000 ____D C:\Program Files\ESET
2012-08-15 03:06 - 2012-08-15 16:37 - 00001512 ____A C:\Windows\setupact.log
2012-08-15 03:06 - 2012-08-15 03:06 - 00000000 ____A C:\Windows\setuperr.log
2012-08-14 21:18 - 2012-08-14 21:18 - 00000000 ____D C:\Windows\System32\%APPDATA%
2012-08-09 18:10 - 2012-08-09 18:10 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-07 23:20 ... Read more

9 more replies
Relevance 72.98%

I've had problem with TrojanOS/Alureon.E for some time now, microsoft security essentials keeps showing up and can't seem to remove it. Also had trojan:win32/sirefef for some time with the same problem as Alureon.E, but it's just gone for now, at least it doesn't show in microsoft security essentials anymore. Is this anything you could help me with?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:08:36, on 2012-11-18
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Marcus\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Users\Marcus\AppData\Roaming\Spotify\spotify.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Marcus\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://se.msn.com/?ocid=OIE9MSE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h... Read more

Answer:PC slow, Trojan:DOS/Alureon.E possible trojan:win32/sirefef

16 more replies
Relevance 72.57%

Microsoft Security Essentials keeps on finding the malware Trojan:WIN32/Sirefef on my computer on a regular basis. It's quarantined and then deleted by me, but keeps coming back. Computer symptoms include high CPU usage and internet explorer running in the background (almost exclusively use firefox).

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:15:02 PM, on 5/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX... Read more

Answer:Trojan:WIN32/Sirefef help

16 more replies
Relevance 72.57%

Hi, I would welcome any help that can be provided as my PC has contracted a big problem!

- When using google in browsers the search terms redirect to ad sites. While loading, the term "colossalsearch.com loading" or similar, appears in the browser.

- All anti-virus software programs have been affected. AVG no longer works, the trojan appears to have disabled the program. I've tried to download again and install but it cannot install. Malwarebytes only works in safe mode. I've tried to download avast free software but this does not work.
- Spybot works and identifies about 10 files which I keep removing but they come back.
- PC has gone extremely slow.

- Windows defender identified the virus as "Trojan:Win32/Sirefef.O".

- I tried to run GMER as instructed and it loaded but when I tried to scan, it seemed to disappear. When I tried to run again, it came up with the message "Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item".
- I'm currently in safe mode with networking.
-Logs attached below.

Thanks in advance for any help!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_17
Run by Mark at 9:00:58 on 2011-10-27
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.2045.1219 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-... Read more

Answer:Trojan:Win32/Sirefef.O

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

4 more replies
Relevance 72.57%

Well guys! Now it was my time to get this little bugger!

The virus we are talking about is - Win32/Sirefef.DA trojan

Currently I am using Eset NOD32 Antivirus 4.0.468.0. I have been trying researching some way to solve this little bugger. I have used TDS Killer, Avast, Malware Bytes Anti-Malware, Combofix(Which I am sure I didnt use correctly), Eset online malware scanner.

So here do we start? Its still reported on my ESET NOD32 that I am infected while it couldn't be cleaned earlier. So I am still very worried about using any personal information on the internet.

What do I do?

I use Windows Vista Home Premium 32 bit.
 

More replies
Relevance 72.57%

Hi


My ESET antivirus has notified me that I am infected with the win32/Sirefef.DA trojan. It says that it is in the operating memory and that it could not remove it. If someone would be able to help me remove it I would greatly appreciate.
 

Answer:Win32/Sirefef.DA trojan

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user acco... Read more

1 more replies
Relevance 72.57%

On my personal computer (Windows XP Home), Microsoft Security Essentials is finding a trojan win32/sirefef.ag. However, after removal, the trojan shows up again. Malware AntiMalware Bytes does not find the trojan. I have tried running EmiSoft, but can not download the latest updates.

I have also tried all 3 programs in Windows safe mode to no avail. Any suggestions?

Answer:Trojan win32/sirefef.AG

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

20 more replies
Relevance 72.57%

My computer has been running really slow and redirecting any searches on the web, so I ran a free scan from eset. It was able to fix all trojans except this win32/sirefef.da. I am not very good with computers, so any help would be greatly appreciated to get this removed. Thanks!
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:33:55 AM, on 2/16/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AEIOMed Everest\Service\AEIOMed.exe
C:\Program Files\AEIOMed Everest\Server\bin\tomcat5.exe
C:\Program Files\eBLVD\ebhost.exe
C:\Program Files\eBLVD\ebhost.exe
c:\progra~1\mcafee\sitead~1\McSACore.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Documents and Settings\VICKI\Local Settings\Application Data\Google... Read more

Answer:win32/sirefef.da trojan

7 more replies
Relevance 72.57%

Hi,

My ESET antivirus has notified me that I am infected with the win32/Sirefef.DA trojan. It says that it is in the operating memory and that it could not remove it. If someone would be able to help me remove it I would greatly appreciate.

Thank you for your time.
 

Answer:Win32/Sirefef.DA trojan

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user acco... Read more

6 more replies
Relevance 72.57%

Hi, After downloading an audio codec, my Avast anti virus has ben popping up every 5 minutes or so to say Win32:\sirefef-PL blocked and Win32:\sirefef-ZT blocked.
I Have since done a quick scan, full system scan and boot time scan with Avast but when i tried to delete, move to virus chest or fix these problems the following came up:
Win32:\sirefef-PL - Error: the system could not find the file specified (2) File name:C:Windows\system32\services.exe

Win32:\sirefef-ZT - Error: the process cannot access the file because it is being used by another process (32) File name:C:\Windows\assembly\GAC_32\desktop.ini

This happened in the normal scan and the boot time scan.

I have located services.exe and cannot delete the file or find it in the processes tab of task manager in order to end the process and have found a desktop.ini but in a different address path and a file scan didn't show any infection.

I have also done a scan with Malwarebytes and have attached the log to this post.I did a second scan which showed no threat even though i'm still getting notifications from Avast.

I don't know if my personal information is at risk as Avast is blocking the attempts but my computer also seems to have slowed significantly too.
Any help/advice with this problem would be greatly appreciated as i have spent 2 nights trying all sorts to remove these.

Thanks in advance.

Answer:Win32:\sirefef-PL & ZT, Trojan-Gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

3 more replies
Relevance 72.57%

Hello,
Our son downloaded something on our laptop, that has affected our OS Winxp. Our AV Eset cannot run and when I looked into the logs report, it shows that the laptop is infected with win32/Sirefef.CT trojan.

I tried running the eset scan with no success.

We would appreciate your assistance. Thank you.
James

Answer:Win32/Sirefef.CT trojan

Attached files as per your online instructions:

DDST.txt pasted and attach.zip and ark.txt are attached.

I have an original XP install CD.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by matthewjackson at 13:21:11 on 2011-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1602 [GMT -7:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\USB LOCK AP\klpsrvc.exe
C:\WINDOWS\system32\PrintCtrl.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
"C:\Program Files\USB LOCK AP\svchost.exe"
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Intell... Read more

11 more replies
Relevance 72.57%

Hello to you,
i am actually at a friends PC who has several Versions of the Sirefef Trojan.

The MS Essentials could set a huge amount of them to quarantine (Sirefef.AL / .AG / and without .xx), at one actually found, MSE (Microsoft Security Essentials) trys to set quarantine to Sirefef.R (and .AH) and stucks after one Minute and two 'Minutes later computer is forced to shut down.

In the MSE-Window i can see, that services.exe in c:\windows\System32 of the Windows Vista Home Premium SP2 is infected.
I have seen, that Mods need DDS and FarbarRecoveryScantool-logs for supporting this?
I guess, taking the services.exe from a working VISTA hp SP2 and replacing the infected file is not enough?
Thanks and best regards, Chritian

PS can i put all needed Files to a 2GB USB-Stick and prevent the stick from beeing infected from Virus ? i had an older Stick with hardwareknob to make it writeprotect, but actual Sticks do not support this kind of protection?!

Answer:Trojan:Win32/Sirefef

First run Panda USB Vaccine on the USB drive..Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't run (it may not on a 64 bit system) skip it and move on.Let me know if that went well.

1 more replies
Relevance 72.57%

Cannot remove the following viruses from my computer:
 
Trojan:win32.sirefef.AB
Trojan:win64/sirefef.P
 
I'm running windows 7 64 bit.
 
Please help!

Answer:Trojan:win32/sirefef.AB

Welcome aboard  That kind of infection requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 72.57%

Slow performance and constant pop up by the default windows anti-virus.
--
DDS (Ver_2012-10-14.05) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32
Run by Miguel at 21:19:10 on 2012-10-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3032.1778 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86... Read more

Answer:Trojan:Win32/Sirefef.AN

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In ... Read more

11 more replies
Relevance 72.57%

Hello,
my system got affected with a trojan and now I tried all the ways on help online but notting seem to help, if anyone can help me in resolving this issue it would be great. here is the error that I am getting.
ESET Smart Security 5

Alert
Threat found

Object: c:\windows\system32\services.exe
Threat: win32/sirefef.FC trojan

Event occoured during an attempt to access the file by the

application:c:\windows\system32\svchost.exe.

delete
the object contaons a possible threat for your system. This

option will remove the object from your system.

No action- Not recomended
Despite a potential threat, the object will not be cleaned or

deleted and willpresist in the system.

error while deleting.

Answer:win32/sirefef.FC trojan

what operating system are you using?

4 more replies
Relevance 72.57%

I recently did a scan of my C drive with Eset Smart Security and received a notice stating that I had a trojan that could not be cleaned called win32/Sirefef.FC in C:\Windows\system32\services.exe. I did a search of this and came across this site so I thought I would post and see if you could help.

Thanks,
Shane

Answer:win32/Sirefef.FC trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

25 more replies
Relevance 72.57%

I ended up with TROJAN:WIN32/SIREFEF and TROJAN:WIN32/SIREFEF.AL and TROJAN:WIN32/SIREFEF.AQ on my pc, probably from a bad website. I have Microsoft Security Essentials running and it found them and quarantined them and I then deleted them. Or so I thought. I also have Malwarebytes installed (the free version) and when I ran it, it also found trojans although it didn't name them. I still have those logs.

When I run MS Security Essentials now it says my pc is clean and Malwarebytes says the same thing. However...

My Windows Firewall is now turned off (I did not do that) and I can't turn it back on. When I try to launch the Security Center (through msconfig --> Tools), I get a message saying that "The Security Center is currently unavailable because the "Security Center" service has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again." (I tried all of that.) If I try to get to the Firewall through the Control Panel, I get a message saying "Due to an unidentified problem, Windows cannot display Windows Firewall settings."

MS Security Essentials cannot receive updates. When I try to, I get this message: "Virus and spyware definitions update failed. Security Essentials couldn't check for virus and spyware definition updates. Check your Internet or network connection and try again. Click Help for more i... Read more

Answer:TROJAN:WIN32/SIREFEF

Hello keeta, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is nor... Read more

10 more replies
Relevance 72.57%

I have an infection, detected by Microsoft Security Essentials, of Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I

I have bbeen unsuccessful in removing this infection. Can you help?
Estelle
PS this infection is supposed in this file: C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected] But it cannot be found on my system.
@myrti in IRC told me to post this question in this forum.

Answer:Trojan:Win32/Sirefef.AG

Hi eclark53,please create a log with DDS (if you can) and post it here:Please run a scan with DDS: Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results, click no to the Optional_Scan Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.Information on A/V control HEREDo you have a 32bit or a 64bit OS?regards myrti

2 more replies
Relevance 72.57%

Hi there.

Eset is reporting that I've got Win32/Sirefef.DN trojan in Operating memory.
I've tried cleaning it, but it returns.

Computer behaviour is getting worse. Some examples:
New firefox tabs opening
Firefox redirects to ebay
Computer fans varying wildly when idle
Malware software not running correctly.

I've attached the result from DDS, but gmer wouldn't run. Errors were that it couldn't access a file because it was in use and also something to do with an external disk.

I have access to my Dell start disc.

Thanks in advance!


Here's the contents of the DDS scan:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by thingswelike at 12:55:33 on 2012-01-25
Microsoft? Windows Vista? Business 6.0.6002.2.1252.44.1033.18.3069.1919 [GMT 0:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k Netw... Read more

Answer:Win32/Sirefef.DN trojan

Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed. Note that if you do not respond within 5 days I shall no longer check this thread for replies.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.


IMPORTANT - for Windows Vista and Windows 7 start all tools by using right click > Run as Administrator.



Please download Rkill from any one of these links and save it to your desktop.

Rkill.com
Rkill.scr
Rkill.pif


Now double click on Rkill to run it. If the first one doesn't work try the n... Read more

19 more replies
Relevance 72.57%

I keep getting windows defender om my windows 7 64bit warning me that i have been infected by Trojan:Win32/Sirefef.AB. Even after it say its removed even did boot scans with avast it say it been deleted but keeps coming back.
 

Answer:Trojan:Win32/Sirefef.AB

I believe these are all the logs
 

4 more replies
Relevance 72.57%

So I'm getting some weird activity on my pc. Random reboots, Browser redirection and inability to click some links or download some protection tools etc. I've read the sticky and here are my posts. I'm pretty certain my pc is relatively unclean as it is, but I'd like to get rid of this Trojan before I address other issues. Thank you for reading and any help you can provide !

S.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:36:39 AM, on 7/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\... Read more

Answer:Trojan:Win32/Sirefef Help please

16 more replies
Relevance 72.57%

I received this computer infected and have since found the browser (IE) unresponsive to certain websites like Yahoo Mail. However Google and GMail work just fine.
Websearch was also the home page which I have changed.
I've done full scans with both Microsoft Security Essentials and Malwarebytes. The Trojan has said to been removed, only to reappear fairly quickly.
We'll take whatever we find one step at a time. The Trojan seems to be the most intrusive at this point.
The instructions asked for the DDS log, The Attach doc and the GMER log for 32 bit systems. I have attached the last 2.
OP is Vista.
Thanks in advance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 18:32:18 on 2012-04-23
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3062.1433 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\... Read more

Answer:Trojan:Win32/Sirefef...

Hi stindiMy secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and ... Read more

8 more replies
Relevance 72.57%

my computer is infected with trojan win32/serefef.o and my avg antivirus is disabled i tried installing malwarebytes and antimalwarebytes, trojan remover, spy doctor, but none of them worked. only my windows firewall could detect it but could not remove plz somebody help me removing this trojan virus plz...

Answer:trojan win32/sirefef.o

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************Please try this. Boot your computer in Safe Mode with NetWorking, download and install MBAM (below) and run a full scan. ... Read more

1 more replies
Relevance 72.57%

Hi, I have a trojan on my computer.

I get Win 7 Security 2012 pop ups. I have run rkill, TDSSKiller (log below), aswMBR (log below), malwareBYTES ( don't have the log anymore but can run it again if asked). I've gotten rid of the ping.exe virus but my ESET NOD32 Antivirus 4's web access protection shows as non-functional and log file show as "12/17/2011 5:33:56 PM Startup scanner file Operating memory ? C:\Windows\assembly\GAC_32\Desktop.ini a variant of Win32/Sirefef.DN trojan cleaned by deleting (after the next restart) YoonJoo-PC\YoonJoo"

Every time I restart, ESET NOD32 pops up with that message.

here is the log to aswMBR :

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-17 18:03:35
-----------------------------
18:03:35.010 OS Version: Windows x64 6.1.7601 Service Pack 1
18:03:35.011 Number of processors: 8 586 0x1E05
18:03:35.011 ComputerName: YOONJOO-PC UserName: YoonJoo
18:03:39.247 Initialize success
18:03:44.359 AVAST engine defs: 11121700
18:03:54.935 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:03:54.940 Disk 0 Vendor: ST310005 CC45 Size: 953869MB BusType: 8
18:03:54.955 Disk 0 MBR read successfully
18:03:54.958 Disk 0 MBR scan
18:03:54.964 Disk 0 Windows VISTA default MBR code
18:03:54.967 Service scanning
18:03:56.676 Modules scanning
18:03:56.684 Disk 0 trace - called modules:
1... Read more

Answer:Win32/Sirefef.DN trojan

Hi again.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by YoonJoo at 20:22:56 on 2011-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.949.82.1033.18.8151.5623 [GMT -8:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNo... Read more

3 more replies
Relevance 72.57%

Hi,

I recently visited the www.dailymotion.co.uk site and have been infected with the Trojan:Win32/sirefef.p.
My Avast instantly popped up saying it had blocked it, however it keeps popping up now. I have downloaded malwarebytes and done a full scan which found 4 bad files which i removed. However Avast still picks up on it.

I would appreciate any help with removing this.
Thanks
Tom

Answer:Trojan:Win32/sirefef.p

Hello and welcome.Please post the MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Please download TDSSKiller.zip and and extract it.Run TDSSKiller.exe. Click Start scan.When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click ContinueLet reboot if needed and tell me if the tool needed a reboot.Click on Report and post the contents of the text file that will open.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.I'd like us to scan your machine with ESET OnlineScanHold down Control and... Read more

6 more replies
Relevance 72.57%

I've been infected with viruses.I realized it when I've been redirected to another website(CC Search)by Google after Google search. After searching about this CC Search, I decided to install anti-virus to remove some viruses.I've tried installing KasperSky but it seemed that it couldn't start. While downloading other Anti-Virus software, my internet connection was "cut-off" half-way. This happens too when I am download other programs too.It was then I started downloading using FreeDownloadManager so I could pause the download and continue after rebooting my computer and my internet connection was back.(The connection remains for about 5minutes after starting download) Therefore I restarted for 3-4 times before successfully downloading the anti-virus(HitMan and Spyware Doctor) and TDSS killer. Although infections were found and removed, after rebooting my computer, Windows Defender found this virus trojan, Win32/Sirefef.O.Windows Defender prompted me to remove it and after clicking "Remove All", an error occurred:Error encountered:Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support. Category:TrojanDescription:This program is dangerous and executes commands from an attacker.Advice:Remove this software immediately... Read more

Answer:Trojan:Win32/Sirefef.O

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

46 more replies
Relevance 72.57%

Windows detected this and my computer has been running very slowly.
Here are my logs.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:06:25 AM, on 11/6/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\DDNi\Oasis\VAIO Messenger.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Users\AddyDoll\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Softwar... Read more

Answer:trojan:win32/sirefef.AN

16 more replies
Relevance 72.57%

ESET keeps popping up with a warning that I have been infected with the Win32/Sirefef Trojan.  I have tried Mawarebytes, TDDS Killer, Rogue Killer and still get this warning from ESET.  Any help would be appreciated.  Thanks.

Answer:Win32/Sirefef trojan

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
 
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that....     Let's get going!!  
----------
 
Do you happen to have the logs that were made by both TDSSKiller and Malwarebytes?  If so, please post thos... Read more

16 more replies
Relevance 72.57%

This aging but beloved and venerable single core Intel, XP Service Pack 3 is a mess and could would greatly appreciate your help! Symptoms were dramatically slow response and redirect of website with Firefox and IE. Malwarebytes removed as far as I could tell XP Virus 2012, AVG kept popping up threat alerts thereafter and ESET online scanner found and could not repair or remove Win32/Sirefef.DA trojan. That short report follows, please let me know if you can, whether this is repairable or requires reformat. OS, MS and Adobe program CDs no longer available ($$$). And what risk to passwords and financial/personal info? Thanks.

ESET

C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\0\3023a1c0-761e9945 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\17\2ff2a511-2e1033ec multiple threats deleted - quarantined
C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\61\3e9e997d-6f67da20 multiple threats deleted - quarantined
C:\WINDOWS\system32\drivers\serial.sys Win32/Sirefef.DA trojan unable to clean
Operating memory multiple threats


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:01 AM, on 12/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\s... Read more

Answer:Win32/Sirefef.DA trojan

6 more replies
Relevance 72.57%

I was working on trying to figure out why one of my PC games wasn't updating properly when i noticed that my windows firewall automatically turned itself off. After unsuccessful attempts to try and manually turn it back on, I checked Microsoft security essentials only to find that it wasn't working properly either. It displayed a message saying that the program wasn't installed so I went ahead and uninstalled and then reinstalled it and started a quick scan. About halfway through several error messages popped up along with the error message "WINDOWS CRITICAL ERROR REBOOT IN ONE MINUTE. SAVE YOUR WORK." Security essentials displayed several malware with the name Sirefef.AH/.R, and I'm unable to do anything before my pc restarts itself.

After some research on this forum I've found several others with this issue and I'm gonna need help clearing this up. I've prepped a USB device with the Farbar Recovery Scan Tool and successfully retrieved FRST.txt and Search.txt as instructed in another thread just so I can help get the ball rolling on this a little faster.

NOTE: It's going to be difficult to get anything installed on the infected PC due to it restarting in about 60seconds. (I'm using a roommates PC in order to contact you guys.)

Any help will be GREATLY appreciated.

Thanks.

Answer:Sirefef Trojan on win32

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

16 more replies
Relevance 72.57%

Vista OSInfected with Win32/Sirefef.FB.Gen Trojan Original thread/scan logs in the 'Am I Infected' section: HEREDDS Text Log.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1Run by Darren Brown at 15:52:08 on 2012-07-23Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.2.1033.18.1021.146 [GMT -7:00].AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\Ati2evxx.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:... Read more

Answer:Win32/Sirefef.FB.Gen Trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

24 more replies
Relevance 72.57%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 71.75%

Home wifi connection no longer secure multiple trojans/ malware detected also unfamiliar Composite Services/ Network Connection remote access 'Workstation'/ security settings changed/ unable to turn on windows features

Answer:win32.sirefef trojan Windows 7

Hello,sort of a difficult sentence to understand.. Could you run these next. Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.    Please download AdwCleaner by Xplode onto your desktop.•Close all open programs and internet browsers.•Double click on adwcleaner.exe to run the tool.•Click on Delete.•Confirm each time with Ok.•You will be prompted to restart your computer. A text file will open after the restart.•Please post the contents of that logfile with your next reply.•You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>Now I'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the   button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on Double click on the  icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security w... Read more

1 more replies
Relevance 71.75%

I got this thru eset nod32 as a trojan in operating memory. I used the eset sirefef removal tool and it said that my computer was not affected. I used malwarebytes, and did a scan and found some infected files i quaranted them and rebooted my computer and still got the message from eset that the trojan is still on my computer
 

Answer:removing win32/sirefef trojan

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user account (if you have one... Read more

11 more replies
Relevance 71.75%

Hello,

I followed the instructions posted for removing the so-called Windows XP Security 2012 virus last week. However, other viruses seem to have taken its place. ESET is continuously blocking attacks, and when it performs a scan, it claims there to be a threat in the memory ( a variant of Win32/sirefef.DT trojan) that cannot be cleaned.

I followed the instructions in the preparation guide, but could not actually run the dds.scr scan -- when I double-click the icon, the window blinks and disappears. Further, I tried running GMER scan twice. The first time, the scan aborted after about 5 minutes - the entire program simply closed down. The second time was going very well, but about 5 hours into the scan, I got the "WARNING! about rootkit activity" message. I clicked OK, and the log up to that point disappeared entirely before the scan was finished, and before I could save/copy it.

Other symptoms I am now experiencing is an occasional Google redirect, and subsequent connectivity problems.

Thanks in advance for all of your help.

Answer:Infected with Win32/Sirefef.DT trojan, among others

Hi,Please do the following:Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logsNEXTPlease download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

64 more replies
Relevance 71.75%

Redirected here from http://www.bleepingcomputer.com/forums/topic451990.html/page__pid__2683892#entry2683892

As i have a 64bit system I haven't done the GMER log.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32
Run by Tom at 11:37:22 on 2012-05-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.6142.4202 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe... Read more

Answer:Trojan:Win32/sirefef.p Logs

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

9 more replies
Relevance 71.75%

How can I remove this virus manually. I cannot afford to pay to have it removed.

Answer:trojan/virus win32/sirefef.ah

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 71.75%

Operating memory ? C:\Windows\assembly\GAC_32\Desktop.ini - a variant of Win32/Sirefef.DN trojan - cleaned by deleting (after the next restart) [1,2]

Answer:a variant of Win32/Sirefef.DN trojan

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

23 more replies
Relevance 71.75%

Hello,
I've made several attempts to clear a trojan/virus infection from my computer using previous posts on this forum, but have been unsuccessful. It started with an alert popup from Windows Security Essentials saying that it detected threats (which I tried to remove using that program - it would say it was clean for a while and then pop up again) and my yahoo and google searches redirecting to invalid pages. I followed directions from another post and went into safe mode and used TDSS Killer, Malwarebytes and Super Anti-spyware - all three programs found threats, removed them, and now come up clean when I run them. I have rebooted after each scan and removal. However, the Windows Security Essentials is still popping up showing threats detected. When I click on the details screen it shows "trojan:win32/sirefef.S, trojan:win64/sirefef.E, and trojan:win64/sirefef.D" as the threats. The yahoo/google searches are no longer redirecting, but the internet is running much slower than usual. I would really appreciate any help that you could offer in removing them! Thanks in advance.
Below is the dds text and the attach and ark texts are attached.
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Michele at 11:47:12 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.183 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA... Read more

Answer:Infected with Trojan:win32/sirefef.s

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

13 more replies
Relevance 71.75%

Hi guys,

This is the second time i've tried to post my problem on here. I think the virus is somehow deleting them :S

I've attempted to run hijackthis, the first time it opened two windows and I was told the installation couldn't continue because there was already an installation running. I cancelled it and there was no other window open. The second time I managed to get it installed, the scan ran for 2 seconds before closing. I clicked on the icon again and it came up with "Windows cannot access the specified device, path or file. You may no have the appropriate permissions to access the item" I am the sole user of this computer, so I gave myself administrative privileges.

No anti-virus software I have (malwarebytes, AVG 2012 or Superantispyware) will work. If it manages to open, as soon as I start a scan, it closes. Also, when I go to search something on a search engine, it attempts to re-direct me to a different site.

I did, however, manage to download the DDS and the Attach files:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Rhi at 15:19:52 on 2011-11-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2048.1264 [GMT 0:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\syst... Read more

Answer:Trojan:Win32/sirefef.O and admirablesearchsystem.com

Update: I had to do a clean install, seeing as I wasn't getting any responses, but maybe someone can help with my new issue.

After the install, I wanted to change my theme on the desktop to AERO, it told me that it can't access the video card. I went into device manager, and under where my graphics card should be, it says "Standard VGA". I've tried updating the drivers for it, but it's no use as the computer can't even recognise it.

My graphics card: Nvidia GeForce FX 5200.

Someone please help?

Thanks,
Rhi
 

1 more replies
Relevance 71.75%

On approx 12th Aug I started to get a message from ESET NOD32 antivirus 4 saying I had a "variant of Win32/Patched.B.Gen trojan."

I have then been on holiday until 24th Aug. Computer off between 14th and 24th.

Now I get a message saying "variant of Win32/Sirefef.EZ trojan."

All it seems to do is redirect me to innocuous webpages when I click on links in Google searches.

Hope you can help. Mark

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Mark Nugent 2 at 18:22:35 on 2012-08-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.16375.13108 [GMT 1:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k ... Read more

Answer:variant of Win32/Sirefef.EZ trojan

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

22 more replies
Relevance 71.75%

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, x86 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 2046 Mb
Graphics Card: ATI Radeon HD 3450, 512 Mb
Hard Drives: C: Total - 152546 MB, Free - 114131 MB;
Motherboard: Dell Inc., 0N185P
Antivirus: ESET NOD32 Antivirus 4.0, Updated: Yes, On-Demand Scanner: Enabled

Log from ESET Scan:

Operating memory \GLOBAL??\7571a07c\WINDOWS\$NtUninstallKB54541$\1970380924\Desktop.ini - Win32/Sirefef.DN trojan - cleaned by deleting [1]
Operating memory svchost.exe(1236) - a variant of Win32/Sirefef.DT trojan - unable to clean
C:\WINDOWS\system32\drivers\netbt.sys - Win32/Sirefef.DA trojan - unable to clean
 

Answer:Win32/Sirefef.DT Trojan Removal Help

16 more replies
Relevance 71.75%

how do you remove this trojan. W.E. cleans it but doesn't keep it from coming back?ThanksHermanEdit: Moved topic from XP to the more appropriate forum. ~ Animal

Answer:trojan: win32/sirefef removal

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 71.75%

Do not know how to remove.
DDS scan files attached.
Thank you!

Answer:Infected with Trojan:win32/sirefef.AB

Hello sltmfla I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

32 more replies
Relevance 71.75%

http://www.bleepingcomputer.com/forums/topic455847.html/page__gopid__2722494#entry2722494

After following the instructions in the above post, I still believe to be infected. Per the last instructions in that post, I ran DDS and GMER along with sysinternals to view the running processes in more detail. Attached are the reports.

Something to point out again is that everytime I load Kaspersky, CPU usage is high and 2 svchost.exe processes are associated with Kaspersky that normally don't show in another healthy computer that I have at home. Systernals private bytes column went as high as 1GB so I don't know if this means that my data was compromised or not. Please refer to screenshot to illustrate my point.

Thanks.

Answer:Infected with Win32/sirefef.ev trojan

Hi consigliere,My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster. It appears you've already run Combofix. Please post the Combofix log located at C:\Combofix.txt in your next post.

36 more replies
Relevance 71.75%

Hello-

I see there are multiple requests for help removing this nasty malware but each one seems to stress the importance of getting individualized help for each computer so here goes... MSE is detecting this Trojan, quarantining it, and removing it but then it's back after a couple of minutes. I'm running Windows Vista 32 Bit and I backup with Carbonite. I would greatly appreciate any help removing this! Here are my logs:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:40:51 PM, on 7/6/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19272)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Fil... Read more

Answer:Trojan:Win32/Sirefef.AL - Please help remove!

16 more replies
Relevance 71.75%

Several months back my mother's netbook was infected with ZeroAccess. I was able to clean that off and it ran fine for awhile. Then all the icons on the desktop disappeared again, there is no network (wired or wireless) and after every reboot Microsoft Security Essentials detects and quarantines an instance of Trojan:Win32/Sirefef.AH. Nothing else has been detected in the past month.

I followed the prep guide but DDS would freeze the whole computer after display 50 #'s. So, sorry no DDS.txt or Attach.txt.

GMER finished and the ark.txt file is attached. However, there was a problem running GMER. I got the following error:

LoadDriver ( "C:\DOCUME~1\Lou\LOCALS~1\Temp\uxloakow.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
Also, when the GMER window opened, only Services, Registry, Files and ADS could be selected.

Answer:Infected with Trojan:Win32/Sirefef.AH

Hi,Please run the following:Please download Unhide.exe to your desktop:Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the hidden attributes from all the files on your system. Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.NEXTDownload OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /rp /s
DRIVES
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logs

22 more replies
Relevance 71.75%

I recently ran a virus scan and i cant seem to get rid of the viruses. I will delete them then they come back every 2 minutes or so. Any help would be greatly appreciated thanks.
 

Answer:Trojan:Win32/Sirefef.AL and AQ, Need help removing please!

In order to provide the antimalware experts with the information they'll need to correctly diagnose and solve your problem, please follow the instructions in this thread:
http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html

The malware removal forum is very busy and techguy insists that antimalware volunteers be suitably trained before they're authorized to help. This means that it can take a while before someone gets to your thread, but once they do they'll stick with you until the machine is clean.
 

1 more replies
Relevance 71.75%

I have three problems with my laptop. First ESET Smart Security 5 keeps giving me I'm infected with this:

Operating memory >> C:\Windows\assembly\GAC_32\Desktop.ini
a variant of Win32/Sirefef.DN trojan

I tells me that it will be deleted with the next reboot, but just a few minutes after I reboot, I get the same message again.

Also, every time I reboot, and I think a few other times besides, ESET gives me the following message:

Detected DNS cache poisoning attack
Remote IP address:
(It then lists an IP address. It has listed two different IP addresses so far.)

The third issue is that when I open my browser (firefox) after a minute or so a new tab opens up to some random website. When my browser is closed, ESET warns me that it has blocked an address, which I am assuming is exactly what does open up when my browser is open.

I'm editing this because ESET found another issue. That's AV Protection 2011. ESET says that it's quarantined, but I just went through the removal process you guys have on here for another AV 2011 program, so I thought you guys could give me a little more help with this.

I have Windows 7 Home Premium 64-bit.

Here is the information you requested:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Inna at 11:28:13 on 2011-11-20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3948.2830 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updat... Read more

Answer:Variant of Win32/Sirefef.DN trojan

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

12 more replies
Relevance 71.75%

Hello,

My laptop = Sony Vaio. Windows XP. Service Pack 3.

My Microsoft Security Essentials detected "Trojan:win32/Sirefef.O", but couldn't delete it.

I downloaded GMER, and followed the instructions. It ran for about 30 seconds, then it shut itself, the scan window disappeared.

I doubleclick GMER icon again, it said; "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item".

I tried dragging the icon to recycle bin, it said; "Cannot delete gmer: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use".

I logged in to safe mode, I still couldn't delete the icon.

I came back to normal mode, tried extract the GMER zip file, and saved it to the folder that's not on the desktop. Opened it, unchecked all the boxes, only left drive C and Sections. It scaned, and I got the result.

Please let me know if I did it correctly, and also if you need more information. Thank you in advance.



DDS

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by j at 7:28:28 on 2011-11-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.50 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* START Hide Column 2
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Progr... Read more

Answer:MSE can't delete Trojan:win32/Sirefef.O

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log... Read more

19 more replies
Relevance 71.75%

Hello,

I opened my husband's computer today and my ESET indicated that there was an infection and the computer hadn't deleted it and needed to reboot to finish the deletion. However even after the reboot I got the message, and keep getting it. I didn't notice very much wrong with my computer, only I noticed when I opened Chrome, that a new window was opening and I noticed the link being opened was something like "kaokaema.." i couldn't catch the name in time before it redirected.

So I know that there's something still very wrong as i keep getting the blue screen...I can't scan with GMER without getting the blue screen (even with all programs closed and mouse disactivated)...so here are the rest of the logs..

It's the win32/Sirefef.DA trojan...and I found some "solutions" on other forums like deleting entries in regedit or in application data folder, but didn't find those entries.

Please help!

thanks,

Vivian


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:45 PM, on 11/28/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPS... Read more

Answer:win32/sirefef.da trojan Infection!!! Help please!

16 more replies
Relevance 71.75%

Hi guys,

I'm trying to sort out this virus that affected my computer really badly. I got a warning flag from windows defender saying that my firewall isn't enabled etc and it hadn't run a scan in a while. So I ran a scan, and it found the Trojan listed in the subject title. I tried to run malwarebytes, avg and superantispyware, they don't even open. They opened just after I installed them, but then I did a scan and it just exited. I clicked on them again and it came up with this message 'windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item' I am the only user of the computer, so I gave myself administrative privileges.

It also re-directs my searches to different websites, meaning it's very difficult for me to search for antivirus software. I went through the instructions to do before posting and this is what happened:

- I managed to successfully download hijackthis, but when I went to install, it said another file was installing, so I had to cancel. There was nothing else installing, it had opened two windows. I then attempted it again and it installed ok. I went to scan, and it was open for about 2 seconds before closing itself, I went to open it again and the windows message opened again. So I don't have a log.

- DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Rhi at 15:19:52 on 2011-11-07
Microsoft Windo... Read more

More replies
Relevance 71.75%

I can not get rid of this virus. I have used Microsoft Security Essential, Malwarecity's how to remove zeroaccess rootkitsirefef from your PC as easy as 123 and Mcafee's RootkitRemover. After running the Malwarecity, my computer slowed down drastically. I tried to use System Restore restoring to a date prior to my virus problem and that failed. I can not get on Internet Explorer. I am able to use Google Chrome. I ran another quick scan using Microsoft Security Essential which didn't detect anything. However, my computer is still running very slow. I don't know what else to do. Would you be able to offer me some advice?
Thank you!
Becky

Answer:Trojan:Win32/Sirefef.AC Virus

I apologize...operating system in Windows XP

1 more replies
Relevance 71.75%

As soon as this thing got loose it shutdown Microsoft Security Essentials and started trying to download files from internet. I've run what I could before it locked me from the desktop. So now I need help, I can get onto my desktop for now.I'm working on a HP Pavilion a1040n desktop computer.

Answer:Trojan Downloader: Win32/Sirefef.B

This is zero access rootkit

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.

http://www.bleepingcomputer.com/forums/topic34773.html
Then start a new thread HERE and include or required logs.

http://www.bleepingcomputer.com/forums/forum22.html

Including a link to this thread will be helpful.

3 more replies
Relevance 71.75%

how do i get rid of an virus called Trojan:Win32/Sirefef.AN without downloading anything i don't know how it got on here but i need to get it off before my parents find out what can i do I'M DESPERATE PLEASE!

Answer:how to get rid of Trojan:Win32/Sirefef.AN without download

Win32/Sirefef.ANhttp://www.microsoft.com/security/p... Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.As a consequence of being infected with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup. Please see Additional remediation steps in this entry for more information.

3 more replies
Relevance 71.75%

Hi, need some help and here are the requested logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Bobbie at 0:06:17 on 2011-12-08
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3061.1616 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.e... Read more

Answer:Infected with Trojan.Win32.Sirefef.a / p other

Someone can close, delete, ignore or handle this however you normally do when you get no response as I have decided to back up and restore system to original condition. I think it is just too far gone. Thanks!

2 more replies
Relevance 70.93%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 70.93%

Please help

12/10/2012 1:40:48 AM Startup scanner file Operating memory ? services.exe(644) probably a variant of Win32/Sirefef.EV trojan unable to clean WEE-674D2B458B0\xinlong

Answer:ESET says: probably a variant of Win32/Sirefef.EV trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the t... Read more

14 more replies
Relevance 70.93%

Heres my logs DDS and two GMER logs one zipped. The link to my original post ( http://www.bleepingcomputer.com/forums/topic424433.html ) and I have run a few things just to see if they'd clean it but not sure what I was doing so I haven't made any changes. I haven't done anything since these logs so's I dont mess up anything. First my DDS log and the attached zip file!!!!!.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by orion311976 at 21:20:39 on 2011-10-21Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.655 [GMT -7:00].AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}FW: AVG Firewall *Disabled* .============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\WINDOWS\system32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft Security Client\msseces.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\wuauclt.exe.============== Pseudo HJT Report ===============.mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd... Read more

Answer:Trojan Downloader: Win32/Sirefef.B Infection

Its been a couple of days, just check'n if I'm still in line for help.....

17 more replies
Relevance 70.93%

Hi everyone. Hope you won't mind helping me with this issue.

Yesterday, upon start up of my laptop (Windows Vista Home Edition OS), I was informed by Avast that I had some sort of a trojan infection and that it would proceed to quarantine them to the virus chest. After the reboot and scan, it had shown that the virus was removed but another scan done by MBAM revealed that the infected object was still there. I was told by MBAM that it was the following file C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) but I can't seem to find it anywhere. An Avast scan stated the following had been removed/placed in virus chest but each subsequent scan by MBAM still reveals the Desktop.ini to be infected.

C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n
C:\Windows\Installer\...\[email protected]
Win32:Sirefef-PL[Rtk]
Win32:Malware-gen

At one point, Avast stated that one of my music software exe files for FL Studio.exe was a virus even though upon scanning by both Avast and MBAM, it was not. I'm not sure what is the cause of some false positives or how to remove this virus. My Google Chrome browser gets periodically automatically redirected to this address http://83.133.127.55/ whenever I click on a link in Yahoo or Google.

Also, whenever I try to access google.com on Chrome, I receive the following message:

The site's security certificate ... Read more

Answer:Infected with Trojan.0access and Win32:Sirefef-PL[Rtk]

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Boot Menu:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Repair your computer menu item.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Choose your language settings, and then click Next.Click Repair your computer.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolScan your computer's memory for errors.Command Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter.Note: Replace letter e with the drive letter of your ... Read more

17 more replies
Relevance 70.93%

Anti-virus keeps asking to reboot system to clean files that are "locked or in use." Rebooting does not remove or clean files, and reboot message returns. Anti-virus scan shows red flags for the following: Operating memory ? services.exe(640) - a variant of Win32/Sirefef.EV trojan - unable to clean; and, Operating memory ? C:\Windows\assembly\GAC\Desktop.ini - a variant of Win32/Sirefef.EZ trojan - deleted (after the next restart) [2].DDS (Ver_2012-10-14.05) - NTFS_x86 Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 10.7.2Run by Give at 18:06:33 on 2012-10-15Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2036.952 [GMT -6:00].AV: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}SP: COMODO Defense+ *Enabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}SP: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: COMODO Defense+ *Enabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Windows\system32�... Read more

Answer:Infected with a Variant of Win32/Sirefef.EV - Trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

25 more replies
Relevance 70.93%

I've been infected with viruses.I realized it when I've been redirected to another website(CC Search)by Google after Google search. After searching about this CC Search, I decided to install anti-virus to remove some viruses.I've tried installing KasperSky but it seemed that it couldn't start. While downloading other Anti-Virus software, my internet connection was "cut-off" half-way. This happens too when I am download other programs too.It was then I started downloading using FreeDownloadManager so I could pause the download and continue after rebooting my computer and my internet connection was back.(The connection remains for about 5minutes after starting download) Therefore I restarted for 3-4 times before successfully downloading the anti-virus(HitMan and Spyware Doctor) and TDSS killer. Although infections were found and removed, after rebooting my computer, Windows Defender found this virus trojan, Win32/Sirefef.O.Windows Defender prompted me to remove it and after clicking "Remove All", an error occurred:Error encountered:Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support. Category:TrojanDescription:This program is dangerous and executes commands from an attacker.Advice:Remove this software immediately... Read more

Answer:Infected with viruses. (Trojan:Win32/Sirefef.O)

With the information you have provided I believe you will need help from the malware removal team. Please make sure that you read the information about getting started first.Then start a new thread HERE and include or required logs.Including a link to this thread will be helpful. Good luck and be patient. Help is on the way!

1 more replies
Relevance 70.93%

Fool that I am, I tried to torrent a program (I know, I know), and now my browser (Chrome) redirects to 'www.trovi.com.' I read the comments for the torrent file a little closer, find somebody's antivirus pinged 'trojan Dropper Win32/Sirefef.B'. 
 
I followed Microsoft's removal instructions to no avail. I've updated and run Microsoft Security Essentials, Microsoft Safety Scanner and Malwarebytes, none of them pick this thing up. Please help!

Answer:Virus! Maybe trojan Dropper Win32/Sirefef.B. Please help!

Hello and welcome ZRRDownload TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....ADW CleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.Click on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.After reviewing the log, click on the Clean button.Press OK when asked to close all programs and follow the onscreen prompts.Press OK again to allow AdwCleaner to restart the computer and complete the removal process.After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.Copy a... Read more

11 more replies