Computer Support Forum

Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Question: Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Microsoft Security Essentials keeps reporting this Trojan and quarantines it. After attempts to remove the file, It keeps reappearing. It shows a file location that I am unable to find on my system C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected]
Now I am getting a warning about VirTool Win32/Obfuscator.XQ @ C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\n However, this file cannot be located wither. There is no C:\Windows\Install directory.
Also Combofix loads and starts then it crashes. Disappears from file manager and splash screen disappears -- The program literally stops running.


DDS Text File Contents:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Estelle Clark at 2:59:47 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2423.1353 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServerForPDVD11.exe
C:\Program Files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nuance\Nuance Cloud Connector\WOSVSSSvrXP32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Paperport\PaperPort\PDFProFiltSrvPP.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\RoboSoft4\RSDBServer.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
\\.\globalroot\systemroot\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1
mURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
mURLSearchHooks: H - No File
mURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf create 7\bin\ZeonIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers\YontooIEClient.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: Dogpile Bundle Toolbar: {c80bdeb2-8735-44c6-bd55-a1ccd555667a} - c:\program files\dogpile bundle toolbar\Toolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: DocuCom PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf create 7\bin\ZeonIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: {71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\icq7.1\ICQ.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: cinemanow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: oma11pwww05
Trusted Zone: prod.westworlds.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
Trusted Zone: west.com
Trusted Zone: westathome.com
Trusted Zone: westathome.net
Trusted Zone: workathomeagent.net
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260353259687
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{934D3B2E-8557-4875-954A-F51900B08625} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\talkworks\WfxSeh32.Dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\estelle clark\application data\mozilla\firefox\profiles\amhyvdtd.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\estelle clark\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwangwang.dll
FF - plugin: c:\program files\nuance\pdf viewer plus\bin\nppdf.dll
FF - plugin: c:\program files\nuance\pdf viewer plus\bin\nppdf.dll
FF - plugin: c:\program files\trademanager\npwangwang.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - 6879996000000000000000ff9bfb84d6
FF - user.js: extensions.BabylonToolbar_i.hardId - 6879996000000000000000ff9bfb84d6
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15338
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:12:03
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=107763
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extentions.y2layers.installId - e6218ce3-fce4-47a4-9176-595a0edb491b
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
.
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-5-23 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-5-23 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2010-12-24 244608]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-5-23 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2012-5-17 101112]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2011/12/04 08:24:55];c:\program files\cyberlink\powerdvd11\common\navfilter\000.fcl [2011-9-2 77296]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 ADExchange;ArcSoft Exchange Service;c:\program files\common files\arcsoft\esinter\bin\eservutil.exe [2011-10-25 37280]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\CLHNServiceForPowerDVD.exe [2011-12-4 83240]
R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSMonitorService.exe [2011-12-4 75048]
R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSServerForPDVD11.exe [2011-12-4 292136]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-9 54752]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\nuance\nuance cloud connector\GladFileMonSvc.exe [2011-7-26 29552]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2010-5-21 246520]
R2 MSSQL$PROVIDUSSTD;SQL Server (PROVIDUSSTD);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\tools\incd\NBHRegInCDSrv.exe [2009-10-16 53560]
R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\ntk_PowerDVD.sys [2011-12-4 71664]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\paperport\paperport\PDFProFiltSrvPP.exe [2011-8-13 138600]
R2 RSDBServerService;RoboSoft Database Server;c:\program files\robosoft4\RSDBServer.exe [2010-4-10 1753088]
R3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys [2008-3-18 20480]
S1 kuenvehn;kuenvehn;c:\windows\system32\drivers\kuenvehn.sys [2012-5-19 42960]
S1 minkjybk;minkjybk;c:\windows\system32\drivers\minkjybk.sys [2012-5-19 42960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-10 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2011-12-24 257696]
S3 cpuz132;cpuz132;\??\c:\docume~1\estell~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\estell~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-10-30 23456]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-10 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-1-9 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-1-9 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-1-9 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-1-9 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-1-9 25704]
S4 AutoKMS;AutoKMS; [x]
.
=============== Created Last 30 ================
.
2012-05-19 07:40:20 42960 ----a-w- c:\windows\system32\drivers\minkjybk.sys
2012-05-19 07:23:03 42960 ----a-w- c:\windows\system32\drivers\kuenvehn.sys
2012-05-18 16:30:38 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ad34aab4-d5ed-4f12-86ac-99889dd0c985}\offreg.dll
2012-05-18 16:26:04 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ad34aab4-d5ed-4f12-86ac-99889dd0c985}\mpengine.dll
2012-05-18 14:41:22 -------- d-----w- c:\documents and settings\estelle clark\application data\SUPERAntiSpyware.com
2012-05-18 14:40:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-18 14:40:13 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-05-18 14:32:09 1140 ----a-w- c:\windows\system32\tmp.reg
2012-05-18 00:03:20 -------- d-----w- c:\documents and settings\estelle clark\application data\Anvisoft
2012-05-18 00:02:25 -------- d-----w- c:\program files\Anvisoft
2012-05-17 22:34:32 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-17 22:06:18 -------- d-s---w- C:\ComboFix
2012-05-17 21:46:51 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-05-17 21:46:51 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-05-17 21:46:30 -------- d-----w- c:\program files\common files\iS3
2012-05-16 01:32:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-16 01:02:19 -------- d-----w- c:\documents and settings\estelle clark\application data\ElevatedDiagnostics
2012-05-13 04:08:47 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2012-05-05 00:57:44 -------- d-----w- c:\program files\Dropbox
2012-04-26 08:13:36 -------- d-----w- c:\documents and settings\estelle clark\local settings\application data\NewSoft
2012-04-26 08:13:15 -------- d-----w- c:\documents and settings\estelle clark\application data\NewSoft
2012-04-26 08:08:36 139800 ----a-w- c:\windows\system32\TWAINDSM.dll
2012-04-26 08:06:29 -------- d-----w- c:\program files\common files\NewSoft
2012-04-26 08:05:19 -------- d-----w- c:\program files\NewSoft
2012-04-26 08:05:18 -------- d-----w- c:\windows\system32\color
2012-04-25 11:44:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-25 11:43:59 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-25 11:43:59 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-23 13:33:49 -------- d-----w- c:\program files\Unlocker
2012-04-23 11:40:16 -------- d-----w- c:\documents and settings\estelle clark\application data\LockHunter
2012-04-23 11:39:41 -------- d-----w- c:\program files\LockHunter
2012-04-22 22:19:02 -------- d-----w- c:\documents and settings\estelle clark\local settings\application data\xheader-data
2012-04-22 22:15:58 201817 ----a-w- c:\windows\XHeader Uninstaller.exe
2012-04-22 22:14:43 -------- d-----w- c:\program files\XHeader
2012-04-20 13:19:40 -------- d-----w- c:\program files\Yontoo Layers
2012-04-20 13:19:32 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
.
==================== Find3M ====================
.
2012-05-16 00:35:39 102400 -c--a-w- c:\windows\RegBootClean.exe
2012-05-05 09:06:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 09:06:20 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-21 01:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-16 09:56:25 249856 ------w- c:\windows\Setup1.exe
2012-03-16 09:56:24 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-23 15:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-30 16:44:45 8291328 ----a-w- c:\program files\HTML Guardian 7.msi
2010-07-14 17:37:00 455888 -c--a-w- c:\program files\common files\PredictAdInstaller.exe
.
============= FINISH: 3:01:41.84 ===============

Relevance 100%
Preferred Solution: Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Infected with Trojan:Win32/Sirefef.AG and Sirefef.I

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster. NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer. NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.Security CheckDownload Security Check by screen317 from here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stallNote 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the following
Log from Combofixlet me know of any problems you may have had
How is the computer doing now?Gringo

4 more replies
Relevance 93.67%

I installed Microsoft security essential and ran a full scan of the system. But I found out that my windows is attacked by Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK. Microsoft security essentials was unable to remove them. The main issue that I have been facing since this incident is that windows can't update Firewall settings. the following message is displayed "Windows Firewall cant change some of your settings. Error code 0x80070424". Additionally, the antivirus program "Microsoft security essential" keeps on detecting the above mentioned malwares and asks to delete these files. Once deleted it asks for a reboot. After restart again these viruses are re-created and its been happening for the last couple of weeks.sea In order to resolve this issue I searched the internet and found http://www.bleepingcomputer.com so I posted a topic regarding this issue and I have been recieving help from one of your experts. Here's the link of this topic:http://www.bleepingcomputer.com/forums/topic455970.html/page__gopid__2721298#entry2721298Now that problem persists, I have been asked for the elevated help and to post a new topic here. I am glad to know that your team is so dedicated for our help. As I am using 64-bit version of windows so only DDS logs were created. DDS.txt logs are given below and attach.txt is been attached as well.....DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion... Read more

Answer:Infected with Trojan:win64/Sirefef.W, Trojan:win64/Sirefef.M and Trojan:win32/Sirefef.AK

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

27 more replies
Relevance 89.9%

When I try to turn Windows' firewall on/off, I get the message "Due to an unidentified problem, Windows cannot display Windows firewall settings.

The Security Service center cannot be started.

I cannot install cumulative security update for IE8.

I was getting redirected to different websites in new windows when surfing.

I recently removed AVG and installed Avast. I also recently updated JAVA and removed old JAVA stuff.

Avast keeps indicating it has blocked:

Infection - Win64:Sirefef-A[Trj]
Object [email protected]

Infection - Win32:Sirefef-AD[Rtk]
Object - [email protected]

Infection - Win32:Malware-gen
Object - [email protected]

I have scanned w/ Avast (Avast also did a boot scan), Malwarebytes, and SuperAntiSpyware, and nothing has changed except the redirect seems to have stopped.

I tried the gmer scan three times and each time it resulted in a blue screen. All I could read on the screen was uwldypow.sys.

Anyway the DDS file -

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 10.5.1
Run by JIM at 21:05:10 on 2012-06-29
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1013.170 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:&... Read more

Answer:Infected w/ Win64:Sirefef-A[Trj], Win32:Sirefef-AD[Rtk], Win32:Malware-gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

30 more replies
Relevance 89.61%

Avast keeps detecting Win32:Sirefef-B, Win64:Sirefef-A, and sometimes Win32:Malware-gen.  Multiple scans detect & quarrantine files, but the trojan warning keeps popping up.  My friend ran ComboFix on it & claims that everything is fine now, but I'm concerned that he shouldn't have run ComboFix yet and also that it may not have actually removed this infection.  Here is my log from DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Michael Calhoun at 0:57:18 on 2013-10-07
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.3034.1819 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Intuit\... Read more

Answer:Infected with Win32:Sirefef-BTT & Win64:Sirefef-A

Hello troyman5150 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 89.61%

Hello everyone,I just discovered this forum while searching for a fix to my problem. I stumbled upon this post [Thread @ Bleepingcomputer] and he has the exact same problem as I have, even though the name is different. It seems his problem was fixed through a few custom actions a member suggested to him, and I figured I was SOL with my problem and would need the help. So thanks in advance to whoever ends up helping me!So my PC was running a bit slow, but the thing that ticked me off was this popup that kept appearing randomly, even once triggering on youtube.com, a site which has never generated popups in the recent past. This nagged me so I launched MBAM and it found something called Trojan.Dropper.BCMiner and it failed to remove it after asking for a reboot. So I try a bunch of stuff, I don't really remember all I did since I fired in no precise order, ComboFix (which didn't start at first, but it did once I rebooted into safe mode later in the process), the kaspersky malware tool I've seen suggested a lot here(I don't remember the exact name), MBAM, a MSSE scan and SUPERAntiMalware. All of them failed at doing anything good. I also ran the avast MBR fix tool to no avail, it actually blue screened my PC.After I started reading on the topic linked earlier, I ran almost the exact same procedure, up to getting a FRST log, which I now do have. In the end, I'm having the same problem I had at the beginning, MSSE is crazy about the two desktop.ini files in... Read more

Answer:Infected with Win32/Sirefef.P and Win64/Sirefef.AB

Hi,I'd like to see an updated FRST log:download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 64bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.... Read more

14 more replies
Relevance 89.61%

I recently downloaded a file and was later infected by Win32/Sirefef.AB and Win64/Sirefef.P viruses. Any help in resolving this issue would be greatly appreciated.
 

Answer:Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help

Welcome to MajorGeeks, Yellow77

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and f... Read more

3 more replies
Relevance 89.03%

Hi,
I have recently changed AV probrams from Eset nod 32 to Microsoft Security Essentials.

Upon running a scan with MSE, it has detected two trojans,
Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini

I have gone through READ & RUN ME.
I did not run RootRepeal as I have Windows ultimate x64.
ComoboFix and TDSSKiller did not create log files.

TDSSKiller did find 2 threats and attempt to delete, upon reboot Windows because stuck in loading.

Thanks in advance
 

Answer:Trojan:Win32/Sirefef.AB & Win64/Sirefef.P

Currently reviewing those logs and will get back to you as soon as possible.
 

2 more replies
Relevance 87.58%

found with mse and scanned with malwarebytes no help, just hoping someone can help
 
dds file logs
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 1.7.0_09
Run by Sean at 15:38:09 on 2013-08-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8141.5674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* 1
SP: Windows Defender *Disabled/Updated* 0
SP: Microsoft Security Essentials *Disabled/Updated*

dataLayer.push({'event':'ldfMDL','mdlLocLabel':'forums'});

jQuery(function ($) {
// Load dialog on page load
$(".modal_cbox").modal({
opacity:50,
containerCss:{
backgroundColor:"#c8c9c9",
borderColor:"#5983C3",
height:510,
padding:5,
width:830,
},
onShow: function (dialog) {
$("html,body").css("overflow","hidden");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','fixed');
}
},
onClose: function (dialog) {
$("html,body").css("overflow","auto");

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
$('body').css('position','relative');
}

$.modal.close();
}
});
});
9
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k... Read more

Answer:trojan.win64/sirefef.p and trojan.win32/sirefef.ab removal help

Hello silencer626 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sa... Read more

34 more replies
Relevance 86.42%

Hi, need some help and here are the requested logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Bobbie at 0:06:17 on 2011-12-08
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3061.1616 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.e... Read more

Answer:Infected with Trojan.Win32.Sirefef.a / p other

Someone can close, delete, ignore or handle this however you normally do when you get no response as I have decided to back up and restore system to original condition. I think it is just too far gone. Thanks!

2 more replies
Relevance 86.42%

Several months back my mother's netbook was infected with ZeroAccess. I was able to clean that off and it ran fine for awhile. Then all the icons on the desktop disappeared again, there is no network (wired or wireless) and after every reboot Microsoft Security Essentials detects and quarantines an instance of Trojan:Win32/Sirefef.AH. Nothing else has been detected in the past month.

I followed the prep guide but DDS would freeze the whole computer after display 50 #'s. So, sorry no DDS.txt or Attach.txt.

GMER finished and the ark.txt file is attached. However, there was a problem running GMER. I got the following error:

LoadDriver ( "C:\DOCUME~1\Lou\LOCALS~1\Temp\uxloakow.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
Also, when the GMER window opened, only Services, Registry, Files and ADS could be selected.

Answer:Infected with Trojan:Win32/Sirefef.AH

Hi,Please run the following:Please download Unhide.exe to your desktop:Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the hidden attributes from all the files on your system. Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.NEXTDownload OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /rp /s
DRIVES
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logs

22 more replies
Relevance 86.42%

http://www.bleepingcomputer.com/forums/topic455847.html/page__gopid__2722494#entry2722494

After following the instructions in the above post, I still believe to be infected. Per the last instructions in that post, I ran DDS and GMER along with sysinternals to view the running processes in more detail. Attached are the reports.

Something to point out again is that everytime I load Kaspersky, CPU usage is high and 2 svchost.exe processes are associated with Kaspersky that normally don't show in another healthy computer that I have at home. Systernals private bytes column went as high as 1GB so I don't know if this means that my data was compromised or not. Please refer to screenshot to illustrate my point.

Thanks.

Answer:Infected with Win32/sirefef.ev trojan

Hi consigliere,My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster. It appears you've already run Combofix. Please post the Combofix log located at C:\Combofix.txt in your next post.

36 more replies
Relevance 86.42%

Do not know how to remove.
DDS scan files attached.
Thank you!

Answer:Infected with Trojan:win32/sirefef.AB

Hello sltmfla I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

32 more replies
Relevance 86.42%

Hello,
I've made several attempts to clear a trojan/virus infection from my computer using previous posts on this forum, but have been unsuccessful. It started with an alert popup from Windows Security Essentials saying that it detected threats (which I tried to remove using that program - it would say it was clean for a while and then pop up again) and my yahoo and google searches redirecting to invalid pages. I followed directions from another post and went into safe mode and used TDSS Killer, Malwarebytes and Super Anti-spyware - all three programs found threats, removed them, and now come up clean when I run them. I have rebooted after each scan and removal. However, the Windows Security Essentials is still popping up showing threats detected. When I click on the details screen it shows "trojan:win32/sirefef.S, trojan:win64/sirefef.E, and trojan:win64/sirefef.D" as the threats. The yahoo/google searches are no longer redirecting, but the internet is running much slower than usual. I would really appreciate any help that you could offer in removing them! Thanks in advance.
Below is the dds text and the attach and ark texts are attached.
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Michele at 11:47:12 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.183 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA... Read more

Answer:Infected with Trojan:win32/sirefef.s

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

13 more replies
Relevance 86.42%

Hello,

I followed the instructions posted for removing the so-called Windows XP Security 2012 virus last week. However, other viruses seem to have taken its place. ESET is continuously blocking attacks, and when it performs a scan, it claims there to be a threat in the memory ( a variant of Win32/sirefef.DT trojan) that cannot be cleaned.

I followed the instructions in the preparation guide, but could not actually run the dds.scr scan -- when I double-click the icon, the window blinks and disappears. Further, I tried running GMER scan twice. The first time, the scan aborted after about 5 minutes - the entire program simply closed down. The second time was going very well, but about 5 hours into the scan, I got the "WARNING! about rootkit activity" message. I clicked OK, and the log up to that point disappeared entirely before the scan was finished, and before I could save/copy it.

Other symptoms I am now experiencing is an occasional Google redirect, and subsequent connectivity problems.

Thanks in advance for all of your help.

Answer:Infected with Win32/Sirefef.DT trojan, among others

Hi,Please do the following:Download OTL to your DesktopDouble click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.Select All UsersUnder the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINTClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Post both logsNEXTPlease download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

64 more replies
Relevance 85.84%

Good day Sir

I am currently using AVG anti-virus. I discovered yesterday that my pc was infected with the above when a pop up appeared from AVG Resident Shield Alert.
Filename : c:\WINDOWS\System32\services.exe
Threat warning: Trojan horse patched_c.LZI detected when open

I searched online & followed to thsi forum. I ran esetscan & found this:
C:\Downloads\Software\apex-video-converter-free.exe multiple threats
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Agent.BA trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] Win64/Sirefef.AE trojan
C:\WINDOWS\Installer\{9081a400-93a1-c7e5-1756-88339bbd685a}\U\[email protected] a variant of Win32/Sirefef.FD trojan
Operating memory a variant of Win32/Sirefef.EZ trojan
I would appreciatte whatever help in overcoming this threat.

Thank you & looking forward to your advice.
D

Answer:Win64/Agent.BA trojan, Win32/Sirefef.FD trojan & Sirefef.AE trojan

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

21 more replies
Relevance 85.84%

Hello Bleeping!
A few days ago I removed Norton AV and installed MSSE. MSSE detected Trojan Dropper: Win32/Sirefef.B and Rogue:Win32/FakeRean. For the past two full system scans MSSE has detected and removed the dropper, and the last scan (last night) detected the Fake Rean. The MSSE removals don't appear to be effective against the dropper. Another peculiar thing, when I installed MSSE a few days ago, it told me my firewall was not up, but when I go into MS Security Center it says that the firewall is "ON". Not sure if perhaps the Norton AV removal maybe wasn't complete and that I am getting "false positives", or if something is really there. My logs are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by Eric at 16:37:09 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2216 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\syste... Read more

Answer:Infected with Trojan Dropper: Win32/Sirefef.B AND Rogue: Win32 Fake Rean

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

18 more replies
Relevance 85.84%

Hello, MSE had a message that said detected and cleaned virus and in the history came up Trojan:win32/sirefef.ak
.am
.ag
/sirefef and then proceeded to say remove.
kept getting the MSE logo spinning and saying cleaning and then same viruses would be in history
I used malwarebytes and it found the four aswell and cleaned them but I feel something is still there and runnin in the background because when I reboot my desktop icons keep resetting if I change them. Need help

Thanks
LR

what do you need for me to run a log to show the computer status?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Roger Trudel :: ROGERTRUDEL-PC [administrator]

12/06/2012 6:25:09 PM
mbam-log-2012-06-12 (18-25-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280359
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)... Read more

Answer:Trojan: win32/sirefef.ak & am & ag and sirefef

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete ... Read more

28 more replies
Relevance 85.55%

I've been infected with viruses.I realized it when I've been redirected to another website(CC Search)by Google after Google search. After searching about this CC Search, I decided to install anti-virus to remove some viruses.I've tried installing KasperSky but it seemed that it couldn't start. While downloading other Anti-Virus software, my internet connection was "cut-off" half-way. This happens too when I am download other programs too.It was then I started downloading using FreeDownloadManager so I could pause the download and continue after rebooting my computer and my internet connection was back.(The connection remains for about 5minutes after starting download) Therefore I restarted for 3-4 times before successfully downloading the anti-virus(HitMan and Spyware Doctor) and TDSS killer. Although infections were found and removed, after rebooting my computer, Windows Defender found this virus trojan, Win32/Sirefef.O.Windows Defender prompted me to remove it and after clicking "Remove All", an error occurred:Error encountered:Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support. Category:TrojanDescription:This program is dangerous and executes commands from an attacker.Advice:Remove this software immediately... Read more

Answer:Infected with viruses. (Trojan:Win32/Sirefef.O)

With the information you have provided I believe you will need help from the malware removal team. Please make sure that you read the information about getting started first.Then start a new thread HERE and include or required logs.Including a link to this thread will be helpful. Good luck and be patient. Help is on the way!

1 more replies
Relevance 85.55%

Hi everyone. Hope you won't mind helping me with this issue.

Yesterday, upon start up of my laptop (Windows Vista Home Edition OS), I was informed by Avast that I had some sort of a trojan infection and that it would proceed to quarantine them to the virus chest. After the reboot and scan, it had shown that the virus was removed but another scan done by MBAM revealed that the infected object was still there. I was told by MBAM that it was the following file C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) but I can't seem to find it anywhere. An Avast scan stated the following had been removed/placed in virus chest but each subsequent scan by MBAM still reveals the Desktop.ini to be infected.

C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n
C:\Windows\Installer\...\[email protected]
Win32:Sirefef-PL[Rtk]
Win32:Malware-gen

At one point, Avast stated that one of my music software exe files for FL Studio.exe was a virus even though upon scanning by both Avast and MBAM, it was not. I'm not sure what is the cause of some false positives or how to remove this virus. My Google Chrome browser gets periodically automatically redirected to this address http://83.133.127.55/ whenever I click on a link in Yahoo or Google.

Also, whenever I try to access google.com on Chrome, I receive the following message:

The site's security certificate ... Read more

Answer:Infected with Trojan.0access and Win32:Sirefef-PL[Rtk]

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Boot Menu:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Repair your computer menu item.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Choose your language settings, and then click Next.Click Repair your computer.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolScan your computer's memory for errors.Command Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter.Note: Replace letter e with the drive letter of your ... Read more

17 more replies
Relevance 85.55%

Hello,

I started noticing problems with my PC when I received the Vista Anti-Virus 2012 window popping up.
I was aware this was a virus so I ran Malwarebytes and was able to remove this from the PC.

Then I started noticing that whenever I would search for something in Google and I'd click
a link on the listing, I would be re-directed to another shady looking website.

It continually did this with multiple websites I tried visiting so I ran some more scans.

I ran the ESET Online scanner and this is when the Win32/Sirefef.DA Trojan was Identified amongst
a few other viruses. The scan picked up two instances of the Win32/Sirefef.DA Trojan and was unable
to remove both of them but was able to remove everything else.

The machine is still infected so if someone wouldn't mind
taking a look at my logs and helping me get this fixed I'd greatly appreciate it.

Here's the DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_26
Run by Sheri A at 8:22:26 on 2011-12-22
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2039.724 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\... Read more

Answer:Win32/Sirefef.DA Trojan Infected Computer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

21 more replies
Relevance 85.55%

Hi, I have an acer aspire 3690 running Windows xp and I have been infected with the Win32/sirefef.EZ trojan virus. I have tried ESET, Malwarebytes, and TDSS rootkit to try and remove it but no luck. I have searched for a solution to this particular problem in many different forums but none of the solutions I have seen have worked for me. Thanks in advance for any help.

Answer:Infected with Win32/Sirefef.EZ trojan variant

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

1 more replies
Relevance 85.55%

Anti-virus keeps asking to reboot system to clean files that are "locked or in use." Rebooting does not remove or clean files, and reboot message returns. Anti-virus scan shows red flags for the following: Operating memory ? services.exe(640) - a variant of Win32/Sirefef.EV trojan - unable to clean; and, Operating memory ? C:\Windows\assembly\GAC\Desktop.ini - a variant of Win32/Sirefef.EZ trojan - deleted (after the next restart) [2].DDS (Ver_2012-10-14.05) - NTFS_x86 Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 10.7.2Run by Give at 18:06:33 on 2012-10-15Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.2036.952 [GMT -6:00].AV: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}SP: COMODO Defense+ *Enabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}SP: ESET NOD32 Antivirus 4.0 *Enabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: COMODO Defense+ *Enabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Windows\system32�... Read more

Answer:Infected with a Variant of Win32/Sirefef.EV - Trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

25 more replies
Relevance 85.26%

My security alert says I have these four viruses and all attempts to clean them using microsoft forefront client security have failed. Besides, the computer shuts down every couple of minutes. Please help, I am frustrated.

Answer:Please help me rid my laptop of win32/sirefef.an, sirefef, sirefef.ao, and sirefef.ag

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

23 more replies
Relevance 84.39%

I followed the instructions for malware removal assistance, and didn't realize until now that ADWCleaner Scan log is also required. I have uploaded the scan logs for the other two and will try to find ADW and perform that scan to add its log to the thread.

It appeared that the scan by aswMBR froze mid scan, so I waited 30 minutes, and when it had not updated or moved, I saved the log. I was planning to try to scan again, but can't figure out how to get it to go again.

Any assistance to help me clean my PC and get it working properly is greatly appreciated.

All my best,
Ms. DexSadPC
 

Answer:Trojan Win32/Sirefef!cfg on my pc, MSE supposedly removed, but PC still infected I think.

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to neces... Read more

20 more replies
Relevance 84.39%

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\[email protected] I hit "remove all" every time it appeared. BC Advisor responded "That?s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed ... Read more

Answer:Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Hi,

Do you have an empty USB flash drive?
We can try an alternative method.

Regards,
Georgi

more replies
Relevance 83.81%

Hello everyone, sry if i make another post about this virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!
 

2 more replies
Relevance 83.81%

Hello everyone, sry if i make another post about this facking virus but as i saw around it sems to be different for everyone (the removing process)

here i am, from italy, praying for someone to help me to remove this facking bleep, the situation atm it's that on intervals of 3 minutes Microsfot Security Essentials find on my pc this 2 files

Tojan:Win32/Sirefef.AB
Tojan:Win64/Sirefef.P
and i don't know what to do.. anyone that it's able to help me ?

EDIT: i'm running Windows 7 ultimate edition 64 bit service pack 1

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P NEED HELP PLEASE!

anyone that can help me ? that thing it's stealing all my passwords!

4 more replies
Relevance 83.81%

Hi, I'm from Portugal and I'm getting frustrated because I can't remove this virus.

Microsoft Security Essentials is finding 2 files I can't remove when I reboot the computer. When I reboot, MSE continues to find those files.

I'm running Windows 7 Home Premium Edition 64 bit service pack 1.

Please help me!

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P

Help me, please. I don't know what to do.

60 more replies
Relevance 83.81%

Hi guys,

I'm running Windows 7 64bit OS. I recently found that Microsoft Security Essentials wasn't running and I had to reinstall it. Once I did it found these trojans.
I did a bit of research and read some other posts but it looks like there is a detailed and unique fix for each person.

I think I have done everything in the READ AND RUN ME thread, and I hope I have attached all the correct logs as requested.

The only problems I had were with MGTools. I got the following errors:
"The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"
and
"Application has generated an exception that could not be handled.

Process id=0xac8 (2760), Thread id=0xce4 (3300)"

Thanks for your time.

Cheers
 

Answer:Trojan: Win32/Sirefef.AB and Trojan: Win64/Sirefef.P

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][BLACKLIST DLL] HKLM\[...]\Run : THXCfg64 (C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-360523327-522932163-1323501305-1000\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f6a6e0a66969d09ba37420a38f97ea5e\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : ... Read more

11 more replies
Relevance 83.81%

Hi there i kept getting a virus that AVG couldn't remove, which AVG wouldn't stop popping up about, so i tried a different anti virus software MSE, which seemed to have i would believe half fixed the problem as symptoms from the virus before like redirected webpages etc MSE managed to stop however MSE is having trouble dealing with Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK, now i saw a topic posted about the win32 1 which suggested to using combofix, which this site stats do not use unless asked too, so i wanted to do things by the book (or you guys about the problem) i have used combofix before on the same machine to remove another virus before a while ago (maybe a year ago?). a Step by step method of removing the virus' and what the virus' actually do so i know how bad it is for future reference. Thank you.Using an AZUS ROG laptop with windows 7.Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Answer:Trojan:Win64/sirefef.M and Trojan:Win32/sirefef.AK

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 83.81%

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).
 

Answer:Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Also this:
 

20 more replies
Relevance 83.81%

Ladies and Gentlemen of the VTSM forum,

I need help. I thought I had a pretty simple rootkit infection, but tdsskiller/mbam has proven ineffective. MSE is able to identify and ostensibly remove the infection, but doing so makes the computer unbootable and system repair unable to complete, forcing a system restore to the infected state. Infection extends back to the oldest restore point. Win7 64 bit, running MSE and MS firewall with mbam for antimalware. SFC/scannow shows clear. google redirects on firefox and chrome, occasional slowdowns, windows defender is unable to start on boot, otherwise the system seems to be running fine. No rootkits recognized by tdsskiller. As mentioned in the title, MSE shows win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e

Here's the DDS log. Please let me know what else I should supply. Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by wstrawn at 16:51:52 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4061.1285 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* / Copyright 4
SP: Microsoft Security Essentials *Enabled/Updated* / Copyright 3
SP: Windows Defender *Disabled/Updated* / Copyright 2
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch... Read more

Answer:win32/conedex.b, win32/sirefef.p, win64/sirefef.m, and win64/sirefef.e combination is killing me

Hi Weeps!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you... Read more

37 more replies
Relevance 83.23%

A few days ago I started having issues with Google redirecting me to random ad websites, as well as Flash Player update popups. I updated my Microsoft Security Essentials, and since then it has been warning me with the presence of the file names in the topic title, and giving me the option to remove them. I select the removal option and everything is fine for a time but then MSE pops up again warning me of the same files. Anything you could do to help me get rid of these is greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Dave at 14:15:54 on 2012-04-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4031.2141 [GMT 10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\... Read more

Answer:Infected With Alureon.FP, Sirefef.B, Sirefef.W, Sirefef.AB & Sirefef.J

Download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itIf you can have an open Internet connection, allow it to download the latest Avast engine detections.If avast! antivirus is already installed, just do the next step.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Attach this file to a reply.

3 more replies
Relevance 82.65%

While browsing, out of no where, Live Security Platinum (i never installed this) popped up. It closed all running apps so i restarted PC and run scan using MSR. It detected Win32/Sirefef but was unable to delete it and promoted that "Windows has encountered a critical problem and will restart in one minute". I restarted PC in safemode, disabled MSE service and scanned PC using Mcafee and it detected Trojan.Zeroaccess viruses and was unable to delete one of the file. I installed Malware Bytes and scanned and it also detected Trojan.Zeroaccess.

Now i am able to boot in normal mode (no "Windows has encountered a critical problem and will restart in one minute" message) but PC has become slow. Need to disinfects any thing remaining, need help in doing so
Thanks

Answer:Infected with Win32/Sirefef, Trojan.Zeroaccess, Live Secutiy Platinum

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

6 more replies
Relevance 81.49%

Hi,
 
I tried the search but couldn’t find any threads about Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN. I apologise in advance if this is not the place to post this.
 
I’m running an old Hp Pavilion using Windows XP. Yesterday my computer was attacked by a virus that disabled Microsoft Security Essentials, breaking the desktop shortcut and making it unusable. I found that using a trial version of hitmanPro that the virus disables and redirects Microsoft Security Essentials’s files. However because the trial period was over I was unable to repair it.  I performed a system restore in safe mode. The restore “failed” but it partially “fixed” Microsoft Security Essentials. Immediately after, I ran a quick scan using Malwarebytes in safe mode with networking. It found a vendor called Rootkit.0Access that it was unable to remove, even after a few repeated quick scans. I downloaded and attempted to use the the Malwarebytes Anti-Rootkit tool but was unable to get it to work. I then searched the internet about the file and found that TDSS Killer could help. After running TDSS Killer and restarting in normal mode it managed to fix the issue and Microsoft Security Essentials notified that the computer was infected and gave the option to clean. After cleaning it gave the option to restart the computer. After restarting it found and two files called Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN under the "All detecte... Read more

Answer:Trojan:Win32/Sirefef.AB and Trojan:Win32/Sirefef.AN files

Hello moe, please run these next. Try all from Normal mode unless you cannot run them, then use safe mode with networking.Please download Rkill by Grinler and save it to your desktop.Link 1Link 2Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know....Run TDSS againDownload TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....Last run ESET.Hold down Control and click o... Read more

4 more replies
Relevance 81.2%

Hello all,

I'm a first time poster here and have come here looking for help in resolving my infection issue. I followed the directions in the read first thread and will post my logs. I am / was experiencing the following issues:


Firefox would redirect to various pages such as newsfudge.com. Since proceeding through the read first post, and also running goored? I have not noticed this recently.
Sometimes browsing seems to be incredibly slow, possibly related to the redirections.
Since attempting to troubleshoot this issue (Microsoft Security Essentials), it is believed that this is causing the following issue:

! You are about to be logged off
Windows has encountered a critical probelm and will restart automatically in one minute. Please save your work now.

If I let the computer restart itself, then this will keep happening. I have learned to "interrupt" it by running a normal restart after the message pops up. So far everytime the computer comes back I won't get the message. If I restart again, it will happen again. I haven't noticed anything in particular relating to this in the system log.

While not experiencing problems with the programs to resolve issues like this, I have noted that it has prevented me from patching games such as Rift. I believe this is related.
While working in safemode sometimes I noticed Adobe Flash 11.3 installer would frequently run trying to get me to install it. I do believe there was a massive security thr... Read more

Answer:Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts

Re: Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restar

Welcome to Major Geeks!


Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.

Also allow Hitman to delete the C:\Windows\assembly\GAC_32\Desktop.ini piece of the infection
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
Reboot back into normal Windows and run another scan with HitmanPro and then attach the latest hitmanpro.zip log.
Also do the below:

Delete the below folders if found:
C:\Windows\installer\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}
C:\Users\Administrator\AppData\Local\{5efa2d27-76c5-fff1-abd3-fdc5fc0c9d41}


Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

C:\MGlogs.zip
Make sure you tell me how things are working now!
 

1 more replies
Relevance 79.75%

I went through the other threads and noticed a fix.txt is needed to repair my brother's computer. I used the frst64 to aquire the two logs attached to this message. Any chance someone can help us? Let me know if you need anything else. His computer starts up and then shuts down before much can be done so I don't have a normal log for you, but I will see what I can get for you.

Thanks!
Scott

View attachment FRST.txt



View attachment Search.txt
 

Answer:win32/sirefef.ab and win64/sirefef.p infection fix.txt needed

You did not run it properly as indicative by the contents of the log. You need to do it again according to these instructions and you must NEVER follow a fix tailored especially for someone else.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:





Startup Repair
Sys... Read more

11 more replies
Relevance 79.46%

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute. Firewall cannot turn on

Hi,

Thanks for the reply.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 11:19:09
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL "" [1111568 2011-10-08] (Trend Micro Inc.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\A... Read more

20 more replies
Relevance 78.59%

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

Answer:Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

22 more replies
Relevance 78.3%

Hello. My antivirus picked up these two and I was wondering if anyone could help me remove them. I tried using dds to send you logs but no attach or dds txt pops up after using it,and I'm an amateur when using computers so I have no idea how to find those logs if they exist somewhere in my system. Hope someone can help.

Answer:win64 sirefef -btt and win32 sirefef - a detected

Hello SONYAns I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

4 more replies
Relevance 78.3%

Hello,

Microsoft Security Essentials is notifying me that Win32/Sirefef.AB and Win64/Sirefef.P are potential threats, but of course trying to remove them does nothing.

Attached is my Farbar Recovery Scan Tool log. Thanks in advance for any help!

Answer:Win32/Sirefef.AB and Win64/Sirefef.P Infection

Hello user314159 and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, ple... Read more

4 more replies
Relevance 78.3%

Hi guys,

Since yesterday I'm getting alerts from Microsoft Security Essentials about trojans in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

First I tried bootable live CDs from AVG and Dr.Web, scanned and cleaned PC with Microsoft Security Essentials, after it didn't helped, smoked Google a little and found your forum.

Read "READ & RUN ME", and here are the log files.

Huge thanks in advance
 

Answer:Trojans: Win32/Sirefef.AB and Win64/Sirefef.P

and here are 3 other logs..
 

4 more replies
Relevance 78.3%

Yes I have the dreded infection and have downloaded the frst64.exe and will run it to get the log files...
Any other directions or advice would be great

Not sure if this is the correct place to post virus infection requests...if not please direct me to the correct place...I do have the frst.txt file for my issue to upload when necessary.

Thanks
Russ

Answer:Win32/sirefef.AB / win64/sirefef.P infection

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

You can also post the FRST log

Good luck

1 more replies
Relevance 78.3%

A few days ago, I got the Sirefef.AB and Sirefef.W virus on my computer. I had no idea the severity of my problem until after I reinstalled MSE which has now caused my computer to constantly restart. I have used Farbar to create a FRST.txt and Server.txt file, though I do not know if that will help on this site in the removal of this blasted virus, and I will wait to post it until I have been instructed if I should do so. I really am at a loss here. I am not that great with computers, and could really use some help.

Edit: Added note, for the short while before I reinstalled MSE, I was having redirection problems when clicking on Google links. It also restarts in Safe Mode.

Answer:Sirefef.AB and Sirefef.W for Windows 7 Infected Computer with Constant Reboot

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 78.01%

Hello,

i post my problem here as it seems the only place where i've found people who actually know what they're talking about. I have a Sony Vaio Laptop running windows 7 64 bit infected with the sirefef virus. Microsoft security essentials shows that it found:

Trojan: Win64/Sirefef
Trojan: Win64/Sirefef.Y
Virus: Win64/Sirefef.B
Trojan: Win64/Sirefef.Z
Trojan: Win64/Sirefef.W

Every time i boot the computer, MSE finds these infections, and prompts me after a minute to restart in order to complete the removal. But every time it reboots, the message is still there. I tried installing Malwarebytes but it won't let me cause it says "access denied" or something like that. Sorry for not providing any more information but i can use my pc for a couple of minutes every time (cause it reboots automatically). I followed your instructions and scanned with DDS. I attach the attach.txt file it generated. I look forward to hearing from you as i really need the laptop for my university studies and i'm in the middle of the exams period. Thank you for your time!

P.S. If i restore my whole system to factory settings, is the problem going to persist? Cause if it's not, i will do it in a heartbeat. Only problem is that i am afraid of infecting my external hard drive (which would be already infected if the virus spreads to external devices). Would that be the case? Will i need to clean my external HDD too?

Answer:Win64/Sirefef.y sirefef.w sirefef.b present. Laptop keeps rebooting every 1 minute

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an... Read more

2 more replies
Relevance 78.01%

Referred from here: http://www.bleepingcomputer.com/forums/topic462175.html ~ OBI am running Windows Vista with Microsoft Security Essentials when i first encountered the problem. The virus shutdown MSE and the Microsoft update center, my firewall, etc. I downloaded MBAM, ran the scan, and it caught some files. Disinfected them, rebooted, rescanned, and files appeared again. (while running in safe mode with networking from the point after being infected). I followed the instructions here: http://www.bleepingcomputer.com/virus-removal/remove-security-shield first because this is where I believe all the problems began (that is after my wife clicking on an embedded link within FB). Upon completing the entire process, I noticed I still had the sirefef trojan, sirefef virus, and rootkit 0 access as I was running MSE and MBAM right before getting the "windows (Vista) encountered a critical error and will restart" loop. I have already downloaded frst.exe and ran it thru the usb drive connected to the infected cpu. I do not know what to do from this point on to get my cpu back to "healthy" and virus free status again ??????Running Vista 32 bit

Answer:Security SHield 2012, sirefef trojan, sirefef virus, and rootkit 0 access TROUBLE!

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

58 more replies
Relevance 76.56%

I seemed to have picked this up last night. So far all I've done is when my anti-virus detects it, I've been moving it to anti-virus chest. When I ran the full scan though, it said it doesn't detect anything. Any help would be greatly appreciated.
 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 1.6.0_30
Run by Toni at 7:09:16 on 2013-09-10
Microsoft Windows 7 Starter   6.1.7600.0.1252.63.1033.18.2048.392 [GMT -5:00]
.
AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Common Files\Spigot\Search Sett... Read more

Answer:Win32:Sirefef-BTT [Trj], Win64:Sirefef-A [Trj], Win32:Malware-gen

Good evening.  Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder. To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...In the Extraction Wizard window that opens, click on Extract and the contents should appear in a new window. Please close all open programs as this may result in a reboot being necessary.Double click TDSSKiller.exe to begin.Click Change parameters and check the two boxes under Additional Options and then click OK.Click Start scan and allow the tool to do just that.One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.The log that the tool creates will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt. - i'd like a copy of the contents in your next reply.Please check that you get the one with the right date and time.   

19 more replies
Relevance 76.56%

following instructions from my previous posting. at first the tools seemed to clear the search engine redirection, but GMER still shows a problem. Tech decided to send me to this forum, and I started again with step 6 on the guide. DDS worked well. Tried to run GMER with the new instructions, and it stops after about 40 min. Attempts to sneak the GMER through with a scrambled name failed. So I ran it for 25 min and stopped the scan and that is what I am posting.If it runs long enough the virus apparently stops the scan and I have a gray screen and have to turn off the laptop and turn it back on and try again. I ran CD emulation disable, and it said "finished" but I can't tell if I had anything to disable, since I got no further instruction from that program. Laptop seems to be working well with no redirection but tech thinks the virus is still present.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MARK at 22:46:15 on 2012-04-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2118 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\... Read more

Answer:win32/sirefef.ac and win32/sirefef.ah redirecting trojans?

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send ... Read more

15 more replies
Relevance 75.98%

Hello. I have an XP machine, pretty old though works (except it is slow...probably some other residual trojan issues). I need your help!! Please assist.

I have Microsoft Security Essentials and MalwareBytes Anti-Malware on my machine. MSE detected the Sirefef.ac and Sirefef.ah trojans/viruses several days ago. It removed them. Then they appeared again and were removed again. This occurs every day. (FYI, MSE is always on and does an automatic daily scan. MBAM is run by me manually every serveral days.)

Over the weekend, I tried using various add'l software to get rid of these items & others though at the end of the day, it situation remains as noted above. Very frustrated that I can't do this on my own and am worried about my computer security. (I believe I used Eset, Kapersky TDSS killer, ccleaner, & itMan Pro)

First, if the sirefef items show as being removed, is my computer safe to use or should I turn it off? When I do get on the internet (when MSE shows all clean and green status), I do get to my default site, msnbc, can get to other sites, and don't get redirected.

I searched and found what seems like exactly the same problem in your forum.

topic450849 raised by MarkP, helped out by Broni, &
its successor topic, topic451285 helped out by Gringo.

Should I just follow and replicate what was noted on those forums or wait and follow specific instructions?

Thanks so much for trying to help me out!!

Kind regards,

Davidad

Answer:XP Infected w/ sirefef.ac & sirefef.ah & need help to permanently remove

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

9 more replies
Relevance 75.98%

Title pretty much says it all. Whenever my computer restarts if I don't do anything Microsoft Security Essentials will detect 2 infections, Sirefef.AH and Sirefef.R, and then inform me that I have a minute until the computer shuts down. If I end the process for Microsoft Security Essentials before any detections occur though then I can use my computer like normal. I'm guessing I need to use FRST to replace services.exe like in the other topics exhibiting this behavior, but since I can't interpret the logs I don't know how to fix this myself and admit that I could be way off.

On a possibly unrelated note, I've never been able to get ComboFix to run properly. I was asked to use it in a prior help topic on this site but was unable. Since then I've tried several times on my own to make it run to no avail. It always hangs after it informs me that it may take 10 minutes or more for badly infected systems and that text just hangs there even when I leave it on overnight.

I don't really care if ComboFix ever runs on my computer, but I figured it could be a symptom for something else so I'm listing it. Mostly I'd just like to be able to restart my computer without racing to stop processes before it gets stuck in a cycle.

Thanks in advance for whoever decides to help me.

Answer:Infected Sirefef.AH and Sirefef.R, computer keeps restarting

Please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

9 more replies
Relevance 75.4%

Hello,

I've been infected with Sirefef for a week now, tried system restore, Full system scans in safe mode, tdss killer, numerous Sirefef removal tools from Kaspersky, Eset, Symantec to no avail. MS SE still founds Sirefef reincarnations from time to time.

please help!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by The Great Dark Lord at 2:12:28 on 2012-07-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8159.4495 [GMT 4.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Wind... Read more

Answer:Sirefef.P Win32 / Sirefef.Y Win64

Hi,Please run the following:Download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computerFollow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64.exe and press Enter. Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer. Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's Place a check next to List Drivers MD5 Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

33 more replies
Relevance 106.19%

Hello! Please Help!

My antivirus started to warn me about blocking stuff a few days ago. I was using Bitdefender Total Security 2012. At first it found the threats and removed them but since this morning it started acting more weird. It wasn't able to remove them. I think it showed among others a trojan.sirefef.fy. I've changed my antivirus with Norton 360 but it didn't solve anything. I've installed Malwarebytes Anti-Malware which found another 2 trojans and rootkit.0Access. A second scan showed nothing. Norton 360 showed 2 threats and removed them. At last I ran Eset Online Scanner which now shows 7 threats. I'm really worried that my pc is compromised. I'm using Windows 7 with Firefox. Windows Update seems to be deactivated too.

Answer:trojan.sirefef.fy, Sirefef.Fd Trojan, rootkit.0Access problem

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

8 more replies
Relevance 105.78%

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 32 bit
Processor: Intel(R) Core(TM)2 Duo CPU T5870 @ 2.00GHz, x64 Family 6 Model 15 Stepping 13
Processor Count: 2
RAM: 3037 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 1294 Mb
Hard Drives: C: Total - 152617 MB, Free - 114549 MB; D: Total - 140623 MB, Free - 63292 MB;
Motherboard: ASUSTeK Computer Inc., K50IJ
Antivirus: avast! Antivirus, Updated and Enabled
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:21:49, on 16/11/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_5_502_110_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwl... Read more

Answer:Infected with win32:sirefef-AII[Rtk]

9 more replies
Relevance 105.78%

Services seem to be consuming 50%-70% minimum cpu usage on 4 cores
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32
Run by User at 15:31:05 on 2012-07-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2117 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32&#... Read more

Answer:Infected by Win32:Sirefef-PL

Hi,Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64... Read more

2 more replies
Relevance 105.78%

Hi ive been infected by a virus/trojan that i cant remove by myself. Windows defender detects it as "Trojan:Win32/Sirefef.G" but is unable to remove it, computer freezes when i try. If im correct this is a trojan that can be used to install other virus on your computer? I run malwarebytes every time i start the computer and it always finds a "Trojan.Agent.Max" that i remove but it comes right back. The computer works as normal except for a few programs that wont start.
Any help would be much appriciated

Answer:infected by win32/Sirefef.G

When you did a virus scan does it show where the file is located?
If it does save that directory in notepad.
What operating system are you running? I'm using windows xp for example,
On start up press F8 and boot into safe mode.
Go to my computer click on tools then folder options,
go to view then hidden files and folders & click on show hidden files.
When u found the file delete it then do a virus scan in safe mode.

Hope it works for u =)

10 more replies
Relevance 105.78%

Hello,
I'm a noob to this forum, but it's my last resort and I'm at my wits end. As stated above, my desktop is infected with win32/sirefef.er, at least that is what AGV was saying. I keep getting pop ups of the threat and I can't quarentine the virus, a new window just pops up. That's how it started. I have read other threads in this forum on posible cures but got nowhere with the procedures. Now, when I restart the computer, AGV still pops up threat windows, but it displays other trojan names, not the "win32/sirefef.er" as it did originally did. I am afraid the trojan is so deeply rooted, I just turned off the computer and I am using my P.O.S. Evo N800v laptop to post here.

The computer in question is a Medion running Windows Vista Home Premium, SP2 I believe.

Any help would be appreciated.

Answer:Infected with win32/sirefef.er

Hello and welcome. I moved this to the Am I Infected... please do these.Please click Start > Run, type inetcpl.cpl in the runbox and press enter.Click the Connections tab and click the LAN settings option.Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.>>>>>I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Under scan settings, check and check Remove found threats Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technologyESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Push the button.Push NOTE: In some instances if no malware is found there will be no log produced.>>>>>>>>>>>>>Reboot into Safe Mode with NetworkingHow to start Windows 7... Read more

10 more replies
Relevance 105.78%

Hello good folks,
 
 Got a recent warning from Malewarebytes/Windows defender and then I ran malewarebytes to clear it but i fear it is still lingering. Any advice or help to ensure it is remmoved will be appreciated from the gurus.
 
Thanks in advance
 
BuickGuy
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.21.2
Run by Six at 13:23:36 on 2013-05-28
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.12278.10162 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Winsim\ConnectionManager... Read more

Answer:Infected with win32/sirefef.an

Hello BuickGuy I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

16 more replies
Relevance 105.78%

Hey guys,
 
I'm Sayak and I'm currently residing in the US. My company sent me here from India to work for a client. Obviously they spent a lot on me so the fact that uninterrupted work is more important to them on anything else goes without saying!
 
After a rough day at work, I got my hands on a video that wouldn't play. Frustrated, I did two things I never do: 1. Installed something on my work laptop and 2. Got that installer off the internet. It was supposed to be a codec pack. Turned out to be packed with a ZeroAccess RootKit program - pleasant surprise. Now I wasn't completely insane, I did scan it before running, but the geniuses at my office have shoved Symantec Endpoint Security down our throats - which is as effective as a potato.
 
I started noticing that SSL sites stopped opening in Chrome, so I quickly did some research, downloaded MS Security Essentials and managed to kill the virus. Or so I thought!! I could no longer use the internet on my laptop. 
 
After 3 hours of reading surprisingly accurate threads on the forum (on my phone btw, and it was so tedious thanks to the awesome codec pack that I installed), I finally managed to get everything up and running.
 
So thanks to you guys at bleeping computer, I am not losing my job!! Kudos guys, you made my day! 
 
Sayak

Answer:Infected with Win32/Sirefef.gen!C

I, along with many other bleepin members here are honored, and feel warm and fuzzy that we've been able to help another person in our quest to slay all bugs and foibles that plague us computer users. ~Zestypanda

7 more replies
Relevance 105.78%

Computer had been acting funny lately so I updated and ran MSE. MSE found the threat, but before I was able to remove and restart the pc I kept getting the error message "windows has encountered a critical problem and will restart automatically in one minute"Every time I restart the machine it keeps throwing up the same error even in safe mode. I can't run any programs long enough to post any logs, please help

Answer:I am infected by Win32/Sirefef

Let me ask a malware response team member to assist you

good luck

19 more replies
Relevance 104.55%

I have an infection, detected by Microsoft Security Essentials, of Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I

I have bbeen unsuccessful in removing this infection. Can you help?
Estelle
PS this infection is supposed in this file: C:\WINDOWS\Installer\{c9895293-dd75-a99b-8995-cba2d2461db3}\U\[email protected] But it cannot be found on my system.
@myrti in IRC told me to post this question in this forum.

Answer:Trojan:Win32/Sirefef.AG

Hi eclark53,please create a log with DDS (if you can) and post it here:Please run a scan with DDS: Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results, click no to the Optional_Scan Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.Information on A/V control HEREDo you have a 32bit or a 64bit OS?regards myrti

2 more replies
Relevance 104.55%

Hi, After downloading an audio codec, my Avast anti virus has ben popping up every 5 minutes or so to say Win32:\sirefef-PL blocked and Win32:\sirefef-ZT blocked.
I Have since done a quick scan, full system scan and boot time scan with Avast but when i tried to delete, move to virus chest or fix these problems the following came up:
Win32:\sirefef-PL - Error: the system could not find the file specified (2) File name:C:Windows\system32\services.exe

Win32:\sirefef-ZT - Error: the process cannot access the file because it is being used by another process (32) File name:C:\Windows\assembly\GAC_32\desktop.ini

This happened in the normal scan and the boot time scan.

I have located services.exe and cannot delete the file or find it in the processes tab of task manager in order to end the process and have found a desktop.ini but in a different address path and a file scan didn't show any infection.

I have also done a scan with Malwarebytes and have attached the log to this post.I did a second scan which showed no threat even though i'm still getting notifications from Avast.

I don't know if my personal information is at risk as Avast is blocking the attempts but my computer also seems to have slowed significantly too.
Any help/advice with this problem would be greatly appreciated as i have spent 2 nights trying all sorts to remove these.

Thanks in advance.

Answer:Win32:\sirefef-PL & ZT, Trojan-Gen

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

3 more replies
Relevance 104.55%

I keep getting windows defender om my windows 7 64bit warning me that i have been infected by Trojan:Win32/Sirefef.AB. Even after it say its removed even did boot scans with avast it say it been deleted but keeps coming back.
 

Answer:Trojan:Win32/Sirefef.AB

I believe these are all the logs
 

4 more replies
Relevance 104.55%

This aging but beloved and venerable single core Intel, XP Service Pack 3 is a mess and could would greatly appreciate your help! Symptoms were dramatically slow response and redirect of website with Firefox and IE. Malwarebytes removed as far as I could tell XP Virus 2012, AVG kept popping up threat alerts thereafter and ESET online scanner found and could not repair or remove Win32/Sirefef.DA trojan. That short report follows, please let me know if you can, whether this is repairable or requires reformat. OS, MS and Adobe program CDs no longer available ($$$). And what risk to passwords and financial/personal info? Thanks.

ESET

C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\0\3023a1c0-761e9945 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\17\2ff2a511-2e1033ec multiple threats deleted - quarantined
C:\Documents and Settings\Anthony S\Application Data\Sun\Java\Deployment\cache\6.0\61\3e9e997d-6f67da20 multiple threats deleted - quarantined
C:\WINDOWS\system32\drivers\serial.sys Win32/Sirefef.DA trojan unable to clean
Operating memory multiple threats


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:01 AM, on 12/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\s... Read more

Answer:Win32/Sirefef.DA trojan

6 more replies
Relevance 104.55%

Cannot remove the following viruses from my computer:
 
Trojan:win32.sirefef.AB
Trojan:win64/sirefef.P
 
I'm running windows 7 64 bit.
 
Please help!

Answer:Trojan:win32/sirefef.AB

Welcome aboard  That kind of infection requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 104.55%

Hi


My ESET antivirus has notified me that I am infected with the win32/Sirefef.DA trojan. It says that it is in the operating memory and that it could not remove it. If someone would be able to help me remove it I would greatly appreciate.
 

Answer:Win32/Sirefef.DA trojan

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user acco... Read more

1 more replies
Relevance 104.55%

I was working on trying to figure out why one of my PC games wasn't updating properly when i noticed that my windows firewall automatically turned itself off. After unsuccessful attempts to try and manually turn it back on, I checked Microsoft security essentials only to find that it wasn't working properly either. It displayed a message saying that the program wasn't installed so I went ahead and uninstalled and then reinstalled it and started a quick scan. About halfway through several error messages popped up along with the error message "WINDOWS CRITICAL ERROR REBOOT IN ONE MINUTE. SAVE YOUR WORK." Security essentials displayed several malware with the name Sirefef.AH/.R, and I'm unable to do anything before my pc restarts itself.

After some research on this forum I've found several others with this issue and I'm gonna need help clearing this up. I've prepped a USB device with the Farbar Recovery Scan Tool and successfully retrieved FRST.txt and Search.txt as instructed in another thread just so I can help get the ball rolling on this a little faster.

NOTE: It's going to be difficult to get anything installed on the infected PC due to it restarting in about 60seconds. (I'm using a roommates PC in order to contact you guys.)

Any help will be GREATLY appreciated.

Thanks.

Answer:Sirefef Trojan on win32

Greetings And Welcome To The Forums!!My name is Gringo and I'll be glad to help you with your malware problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

16 more replies
Relevance 104.55%

Hello to you,
i am actually at a friends PC who has several Versions of the Sirefef Trojan.

The MS Essentials could set a huge amount of them to quarantine (Sirefef.AL / .AG / and without .xx), at one actually found, MSE (Microsoft Security Essentials) trys to set quarantine to Sirefef.R (and .AH) and stucks after one Minute and two 'Minutes later computer is forced to shut down.

In the MSE-Window i can see, that services.exe in c:\windows\System32 of the Windows Vista Home Premium SP2 is infected.
I have seen, that Mods need DDS and FarbarRecoveryScantool-logs for supporting this?
I guess, taking the services.exe from a working VISTA hp SP2 and replacing the infected file is not enough?
Thanks and best regards, Chritian

PS can i put all needed Files to a 2GB USB-Stick and prevent the stick from beeing infected from Virus ? i had an older Stick with hardwareknob to make it writeprotect, but actual Sticks do not support this kind of protection?!

Answer:Trojan:Win32/Sirefef

First run Panda USB Vaccine on the USB drive..Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't run (it may not on a 64 bit system) skip it and move on.Let me know if that went well.

1 more replies
Relevance 104.55%

Hi,

I recently visited the www.dailymotion.co.uk site and have been infected with the Trojan:Win32/sirefef.p.
My Avast instantly popped up saying it had blocked it, however it keeps popping up now. I have downloaded malwarebytes and done a full scan which found 4 bad files which i removed. However Avast still picks up on it.

I would appreciate any help with removing this.
Thanks
Tom

Answer:Trojan:Win32/sirefef.p

Hello and welcome.Please post the MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Please download TDSSKiller.zip and and extract it.Run TDSSKiller.exe. Click Start scan.When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click ContinueLet reboot if needed and tell me if the tool needed a reboot.Click on Report and post the contents of the text file that will open.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.I'd like us to scan your machine with ESET OnlineScanHold down Control and... Read more

6 more replies
Relevance 104.55%

I ended up with TROJAN:WIN32/SIREFEF and TROJAN:WIN32/SIREFEF.AL and TROJAN:WIN32/SIREFEF.AQ on my pc, probably from a bad website. I have Microsoft Security Essentials running and it found them and quarantined them and I then deleted them. Or so I thought. I also have Malwarebytes installed (the free version) and when I ran it, it also found trojans although it didn't name them. I still have those logs.

When I run MS Security Essentials now it says my pc is clean and Malwarebytes says the same thing. However...

My Windows Firewall is now turned off (I did not do that) and I can't turn it back on. When I try to launch the Security Center (through msconfig --> Tools), I get a message saying that "The Security Center is currently unavailable because the "Security Center" service has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again." (I tried all of that.) If I try to get to the Firewall through the Control Panel, I get a message saying "Due to an unidentified problem, Windows cannot display Windows Firewall settings."

MS Security Essentials cannot receive updates. When I try to, I get this message: "Virus and spyware definitions update failed. Security Essentials couldn't check for virus and spyware definition updates. Check your Internet or network connection and try again. Click Help for more i... Read more

Answer:TROJAN:WIN32/SIREFEF

Hello keeta, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is nor... Read more

10 more replies
Relevance 104.55%

my computer is infected with trojan win32/serefef.o and my avg antivirus is disabled i tried installing malwarebytes and antimalwarebytes, trojan remover, spy doctor, but none of them worked. only my windows firewall could detect it but could not remove plz somebody help me removing this trojan virus plz...

Answer:trojan win32/sirefef.o

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************Please try this. Boot your computer in Safe Mode with NetWorking, download and install MBAM (below) and run a full scan. ... Read more

1 more replies
Relevance 104.55%

I received this computer infected and have since found the browser (IE) unresponsive to certain websites like Yahoo Mail. However Google and GMail work just fine.
Websearch was also the home page which I have changed.
I've done full scans with both Microsoft Security Essentials and Malwarebytes. The Trojan has said to been removed, only to reappear fairly quickly.
We'll take whatever we find one step at a time. The Trojan seems to be the most intrusive at this point.
The instructions asked for the DDS log, The Attach doc and the GMER log for 32 bit systems. I have attached the last 2.
OP is Vista.
Thanks in advance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 18:32:18 on 2012-04-23
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3062.1433 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\... Read more

Answer:Trojan:Win32/Sirefef...

Hi stindiMy secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and ... Read more

8 more replies
Relevance 104.55%

My computer has been running really slow and redirecting any searches on the web, so I ran a free scan from eset. It was able to fix all trojans except this win32/sirefef.da. I am not very good with computers, so any help would be greatly appreciated to get this removed. Thanks!
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:33:55 AM, on 2/16/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AEIOMed Everest\Service\AEIOMed.exe
C:\Program Files\AEIOMed Everest\Server\bin\tomcat5.exe
C:\Program Files\eBLVD\ebhost.exe
C:\Program Files\eBLVD\ebhost.exe
c:\progra~1\mcafee\sitead~1\McSACore.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Documents and Settings\VICKI\Local Settings\Application Data\Google... Read more

Answer:win32/sirefef.da trojan

7 more replies
Relevance 104.55%

So I'm getting some weird activity on my pc. Random reboots, Browser redirection and inability to click some links or download some protection tools etc. I've read the sticky and here are my posts. I'm pretty certain my pc is relatively unclean as it is, but I'd like to get rid of this Trojan before I address other issues. Thank you for reading and any help you can provide !

S.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:36:39 AM, on 7/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\... Read more

Answer:Trojan:Win32/Sirefef Help please

16 more replies
Relevance 104.55%

Hello,
Our son downloaded something on our laptop, that has affected our OS Winxp. Our AV Eset cannot run and when I looked into the logs report, it shows that the laptop is infected with win32/Sirefef.CT trojan.

I tried running the eset scan with no success.

We would appreciate your assistance. Thank you.
James

Answer:Win32/Sirefef.CT trojan

Attached files as per your online instructions:

DDST.txt pasted and attach.zip and ark.txt are attached.

I have an original XP install CD.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by matthewjackson at 13:21:11 on 2011-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1602 [GMT -7:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\USB LOCK AP\klpsrvc.exe
C:\WINDOWS\system32\PrintCtrl.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
"C:\Program Files\USB LOCK AP\svchost.exe"
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Intell... Read more

11 more replies
Relevance 104.55%

Windows detected this and my computer has been running very slowly.
Here are my logs.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:06:25 AM, on 11/6/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\DDNi\Oasis\VAIO Messenger.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Users\AddyDoll\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Softwar... Read more

Answer:trojan:win32/sirefef.AN

16 more replies
Relevance 104.55%

Hi there.

Eset is reporting that I've got Win32/Sirefef.DN trojan in Operating memory.
I've tried cleaning it, but it returns.

Computer behaviour is getting worse. Some examples:
New firefox tabs opening
Firefox redirects to ebay
Computer fans varying wildly when idle
Malware software not running correctly.

I've attached the result from DDS, but gmer wouldn't run. Errors were that it couldn't access a file because it was in use and also something to do with an external disk.

I have access to my Dell start disc.

Thanks in advance!


Here's the contents of the DDS scan:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by thingswelike at 12:55:33 on 2012-01-25
Microsoft? Windows Vista? Business 6.0.6002.2.1252.44.1033.18.3069.1919 [GMT 0:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k Netw... Read more

Answer:Win32/Sirefef.DN trojan

Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed. Note that if you do not respond within 5 days I shall no longer check this thread for replies.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.


IMPORTANT - for Windows Vista and Windows 7 start all tools by using right click > Run as Administrator.



Please download Rkill from any one of these links and save it to your desktop.

Rkill.com
Rkill.scr
Rkill.pif


Now double click on Rkill to run it. If the first one doesn't work try the n... Read more

19 more replies
Relevance 104.55%

On my personal computer (Windows XP Home), Microsoft Security Essentials is finding a trojan win32/sirefef.ag. However, after removal, the trojan shows up again. Malware AntiMalware Bytes does not find the trojan. I have tried running EmiSoft, but can not download the latest updates.

I have also tried all 3 programs in Windows safe mode to no avail. Any suggestions?

Answer:Trojan win32/sirefef.AG

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

20 more replies
Relevance 104.55%

Hi, I would welcome any help that can be provided as my PC has contracted a big problem!

- When using google in browsers the search terms redirect to ad sites. While loading, the term "colossalsearch.com loading" or similar, appears in the browser.

- All anti-virus software programs have been affected. AVG no longer works, the trojan appears to have disabled the program. I've tried to download again and install but it cannot install. Malwarebytes only works in safe mode. I've tried to download avast free software but this does not work.
- Spybot works and identifies about 10 files which I keep removing but they come back.
- PC has gone extremely slow.

- Windows defender identified the virus as "Trojan:Win32/Sirefef.O".

- I tried to run GMER as instructed and it loaded but when I tried to scan, it seemed to disappear. When I tried to run again, it came up with the message "Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item".
- I'm currently in safe mode with networking.
-Logs attached below.

Thanks in advance for any help!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_17
Run by Mark at 9:00:58 on 2011-10-27
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.2045.1219 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-... Read more

Answer:Trojan:Win32/Sirefef.O

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

4 more replies
Relevance 104.55%

I recently did a scan of my C drive with Eset Smart Security and received a notice stating that I had a trojan that could not be cleaned called win32/Sirefef.FC in C:\Windows\system32\services.exe. I did a search of this and came across this site so I thought I would post and see if you could help.

Thanks,
Shane

Answer:win32/Sirefef.FC trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

25 more replies
Relevance 104.55%

Hi, I have a trojan on my computer.

I get Win 7 Security 2012 pop ups. I have run rkill, TDSSKiller (log below), aswMBR (log below), malwareBYTES ( don't have the log anymore but can run it again if asked). I've gotten rid of the ping.exe virus but my ESET NOD32 Antivirus 4's web access protection shows as non-functional and log file show as "12/17/2011 5:33:56 PM Startup scanner file Operating memory ? C:\Windows\assembly\GAC_32\Desktop.ini a variant of Win32/Sirefef.DN trojan cleaned by deleting (after the next restart) YoonJoo-PC\YoonJoo"

Every time I restart, ESET NOD32 pops up with that message.

here is the log to aswMBR :

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-17 18:03:35
-----------------------------
18:03:35.010 OS Version: Windows x64 6.1.7601 Service Pack 1
18:03:35.011 Number of processors: 8 586 0x1E05
18:03:35.011 ComputerName: YOONJOO-PC UserName: YoonJoo
18:03:39.247 Initialize success
18:03:44.359 AVAST engine defs: 11121700
18:03:54.935 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:03:54.940 Disk 0 Vendor: ST310005 CC45 Size: 953869MB BusType: 8
18:03:54.955 Disk 0 MBR read successfully
18:03:54.958 Disk 0 MBR scan
18:03:54.964 Disk 0 Windows VISTA default MBR code
18:03:54.967 Service scanning
18:03:56.676 Modules scanning
18:03:56.684 Disk 0 trace - called modules:
1... Read more

Answer:Win32/Sirefef.DN trojan

Hi again.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by YoonJoo at 20:22:56 on 2011-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.949.82.1033.18.8151.5623 [GMT -8:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNo... Read more

3 more replies
Relevance 104.55%

Slow performance and constant pop up by the default windows anti-virus.
--
DDS (Ver_2012-10-14.05) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32
Run by Miguel at 21:19:10 on 2012-10-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3032.1778 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86... Read more

Answer:Trojan:Win32/Sirefef.AN

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In ... Read more

11 more replies
Relevance 104.55%

Hi,

My ESET antivirus has notified me that I am infected with the win32/Sirefef.DA trojan. It says that it is in the operating memory and that it could not remove it. If someone would be able to help me remove it I would greatly appreciate.

Thank you for your time.
 

Answer:Win32/Sirefef.DA trojan

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user acco... Read more

6 more replies
Relevance 104.55%

I've been infected with viruses.I realized it when I've been redirected to another website(CC Search)by Google after Google search. After searching about this CC Search, I decided to install anti-virus to remove some viruses.I've tried installing KasperSky but it seemed that it couldn't start. While downloading other Anti-Virus software, my internet connection was "cut-off" half-way. This happens too when I am download other programs too.It was then I started downloading using FreeDownloadManager so I could pause the download and continue after rebooting my computer and my internet connection was back.(The connection remains for about 5minutes after starting download) Therefore I restarted for 3-4 times before successfully downloading the anti-virus(HitMan and Spyware Doctor) and TDSS killer. Although infections were found and removed, after rebooting my computer, Windows Defender found this virus trojan, Win32/Sirefef.O.Windows Defender prompted me to remove it and after clicking "Remove All", an error occurred:Error encountered:Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support. Category:TrojanDescription:This program is dangerous and executes commands from an attacker.Advice:Remove this software immediately... Read more

Answer:Trojan:Win32/Sirefef.O

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

46 more replies
Relevance 104.55%

ESET keeps popping up with a warning that I have been infected with the Win32/Sirefef Trojan.  I have tried Mawarebytes, TDDS Killer, Rogue Killer and still get this warning from ESET.  Any help would be appreciated.  Thanks.

Answer:Win32/Sirefef trojan

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
 
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that....     Let's get going!!  
----------
 
Do you happen to have the logs that were made by both TDSSKiller and Malwarebytes?  If so, please post thos... Read more

16 more replies
Relevance 104.55%

Hello,
my system got affected with a trojan and now I tried all the ways on help online but notting seem to help, if anyone can help me in resolving this issue it would be great. here is the error that I am getting.
ESET Smart Security 5

Alert
Threat found

Object: c:\windows\system32\services.exe
Threat: win32/sirefef.FC trojan

Event occoured during an attempt to access the file by the

application:c:\windows\system32\svchost.exe.

delete
the object contaons a possible threat for your system. This

option will remove the object from your system.

No action- Not recomended
Despite a potential threat, the object will not be cleaned or

deleted and willpresist in the system.

error while deleting.

Answer:win32/sirefef.FC trojan

what operating system are you using?

4 more replies
Relevance 104.55%

Microsoft Security Essentials keeps on finding the malware Trojan:WIN32/Sirefef on my computer on a regular basis. It's quarantined and then deleted by me, but keeps coming back. Computer symptoms include high CPU usage and internet explorer running in the background (almost exclusively use firefox).

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:15:02 PM, on 5/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX... Read more

Answer:Trojan:WIN32/Sirefef help

16 more replies
Relevance 104.55%

Well guys! Now it was my time to get this little bugger!

The virus we are talking about is - Win32/Sirefef.DA trojan

Currently I am using Eset NOD32 Antivirus 4.0.468.0. I have been trying researching some way to solve this little bugger. I have used TDS Killer, Avast, Malware Bytes Anti-Malware, Combofix(Which I am sure I didnt use correctly), Eset online malware scanner.

So here do we start? Its still reported on my ESET NOD32 that I am infected while it couldn't be cleaned earlier. So I am still very worried about using any personal information on the internet.

What do I do?

I use Windows Vista Home Premium 32 bit.
 

More replies
Relevance 104.55%

Vista OSInfected with Win32/Sirefef.FB.Gen Trojan Original thread/scan logs in the 'Am I Infected' section: HEREDDS Text Log.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1Run by Darren Brown at 15:52:08 on 2012-07-23Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.2.1033.18.1021.146 [GMT -7:00].AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\Ati2evxx.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:... Read more

Answer:Win32/Sirefef.FB.Gen Trojan

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

24 more replies
Relevance 104.55%

I recently had some trojan issues but they were resolved here: http://www.bleepingcomputer.com/forums/topic459859.html/page__p__2757005#entry2757005

First and foremost, I'd like to thank the community at BleepingComputer for helping me resolve my previous issues. Anyway, my parents' PC has been acting strangely recently (Windows 7 Home Premium 64bit). I noticed that some Google search results on Google Chrome would redirect to possibly malicious sites rather than the actual search result. Also, an extension "Default Extension" was installed in Chrome. When I attempt to remove it and restart Chrome, it just appears again. I've noticed that when I disable it, I wouldn't get any redirections from search results. That being said, I immediately ran a full scan with Security Essentials. Win32/Tracur.AV and Sirefef!cfg were detected and quarantined. However, I'm still getting redirects and the extension still appears. I'm not entirely convinced this PC is clean. Any help would be greatly appreciated.

Answer:Infected with Win32/Tracur.AV and Sirefef!cfg

I also ran TDSS Killer. Apologies if I shouldn't have.
18:40:06.0333 0660 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
18:40:06.0567 0660 ============================================================
18:40:06.0567 0660 Current date / time: 2012/10/16 18:40:06.0567
18:40:06.0567 0660 SystemInfo:
18:40:06.0567 0660
18:40:06.0567 0660 OS Version: 6.1.7600 ServicePack: 0.0
18:40:06.0567 0660 Product type: Workstation
18:40:06.0567 0660 ComputerName: SHAHEED-LAPTOP
18:40:06.0567 0660 UserName: shaheed
18:40:06.0567 0660 Windows directory: C:\Windows
18:40:06.0567 0660 System windows directory: C:\Windows
18:40:06.0567 0660 Running under WOW64
18:40:06.0567 0660 Processor architecture: Intel x64
18:40:06.0567 0660 Number of processors: 2
18:40:06.0567 0660 Page size: 0x1000
18:40:06.0567 0660 Boot type: Normal boot
18:40:06.0567 0660 ============================================================
18:40:17.0338 0660 BG loaded
18:40:23.0001 0660 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0xEE72, SectorsPerTrack: 0x3F, TracksPerCylinder: 0x7F, Type 'K0', Flags 0x00000040
18:40:23.0016 0660 Drive \Device\Harddisk1\DR1 - Size: 0xF2C00000 (3.79 Gb), SectorSize: 0x200, Cylinders: 0x1EF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:40:23.0016 0660 ============================================================
18:40:23.0016 0660 \Devic... Read more

26 more replies
Relevance 104.55%

Computer was acting up and so I used ESET to scan and it found this trojan, it removed the 3 out of 4 threats found but the 4th is "Operating in memory." I tried running ESET in Safe Mode and same thing. I can't get rid of it. Please help as this is a work computer and I am not sure, or slightly not sure, of where the trojan came from. Thank you in advance.

Answer:I'm infected by Win32/Sirefef.EZ and can't get rid with ESET

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as... Read more

44 more replies
Relevance 104.55%

Greetings, I have a laptop with Windows 7 64bit. I believe the laptop is infected with the virus in the title of this post. Avast found it one point and put it in the virus chest. After rebooting the laptop would not boot into the OS. I ran recovery and reverted to last save point. The laptop boots to the OS but is still infected. Any help is much appreciated.

Answer:Laptop.infected with Win32.sirefef-ho

Hi,After performing these scans, enter the results in your next post and also update me on the status of the PC.Note: You may have to perform some or all of the following in Safe Mode With Networking, depending on if you have internet access while in the normal Windows environment.================================================================================Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.================================================================================Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the P... Read more

11 more replies