Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by win32/Sirefef.G


  • Please log in to reply
10 replies to this topic

#1 asdf12345678

asdf12345678

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 02:17 AM

Hi ive been infected by a virus/trojan that i cant remove by myself. Windows defender detects it as "Trojan:Win32/Sirefef.G" but is unable to remove it, computer freezes when i try. If im correct this is a trojan that can be used to install other virus on your computer? I run malwarebytes every time i start the computer and it always finds a "Trojan.Agent.Max" that i remove but it comes right back. The computer works as normal except for a few programs that wont start.
Any help would be much appriciated

BC AdBot (Login to Remove)

 


#2 mathewdaniels

mathewdaniels

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:18 AM

Posted 26 April 2011 - 02:45 AM

When you did a virus scan does it show where the file is located?
If it does save that directory in notepad.
What operating system are you running? I'm using windows xp for example,
On start up press F8 and boot into safe mode.
Go to my computer click on tools then folder options,
go to view then hidden files and folders & click on show hidden files.
When u found the file delete it then do a virus scan in safe mode.

Hope it works for u =)

Edited by mathewdaniels, 26 April 2011 - 02:56 AM.


#3 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 03:55 AM

Thanks for the reply. I did what you recommended(running vista btw) and deleted windows/system32/DRIVERS/cdfs.sys that seemed to be the home of sirefef.g, after i deleted that file windows defender could remove sirefef.g without freezing so that seems taken care of. Trojan.agent.max still shows up on each malwarebytes scan after rebooting tho, should i delete that file to? the file is C:\Windows\winsxs\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909/shsvcs.dll

#4 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 04:20 AM

doesnt work with the trojan.agent.max, its still there after every reboot:S

#5 mathewdaniels

mathewdaniels

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:18 AM

Posted 26 April 2011 - 04:21 AM

Sounds like u have got a spyware problem,
i would recommend downloading spy bot search and destroy or super anti-spyware
u can download these programs from www.majorgeeks.com
then update latest definitions.
while your doing the scan disconnect your internet connection.
but if all else fails you should back up your files and try deleting it through safe mode.

Edited by mathewdaniels, 26 April 2011 - 05:26 AM.


#6 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 02:27 PM

Ok i used SpyBot search and destroy and it found 4 items under the name "Fraud.Internetsecurity2011" but could not remove them. So i went ahead and used this guide http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2011 to remove that virus. However doing that doesnt seem to have helped much, spybot still finds the same items and cant remove them. Here is a screenshot of what spybot finds http://www.imagebam.com/image/3b537a129676006

kinda lost, would rly appriciate further help

#7 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 04:24 PM

bla spent so many hours without being able to fix it, guess i might just have to reformat?

#8 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 26 April 2011 - 07:56 PM

No need to reformat, this seems fixable.

Asdf12345678 - I'm going to ask you to boot your computer into safe mode and *IMPORTANT* right click on Spybot and click Run As Administrator, Spybot needs to be ran under Administrator elevation in order to remove objects. Remove the things it finds and then come back and let me know how it went

#9 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 27 April 2011 - 01:39 AM

that didnt work:/ still getting the same message that they cant be removed

#10 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 27 April 2011 - 02:42 AM

ok some progress now, managed to get rid of the registry keys by doing this http://www.vistax64.com/tutorials/67717-take-ownership-file.html and then using spybot on them.
But the c:\Windows\WinSxs\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll file is just impossible to get rid of, i tried the same thing on it but it always comes right back after a reboot. I dont know much about viruses but this means there is another file/trojan somewere that i havent detected that keeps putting it back?

#11 asdf12345678

asdf12345678
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:18 PM

Posted 27 April 2011 - 06:32 AM

ye tried a few more hours but cant do it, going on vaccation for 4 days tomorrow going to reformat when i get back unless someone has written something new here. Thanks for trying guys




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users