Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


WHS with rootkit virus in sbscrexe.exe named sirefef-O

  • This topic is locked This topic is locked
2 replies to this topic

#1 Zipline


  • Members
  • 2 posts
  • Gender:Male
  • Location:CA
  • Local time:10:17 AM

Posted 05 October 2011 - 02:34 PM

Dear Masters of the Virus:

Yesterday my Windows Home Server (based off server 2003), running the latest version of Avast for server, detected some attempted access to malware sites and supposedly blocked them. (no browser directed me to those sites, so I assume it worked) However this was a symptom of a virus deeper down. After a few minutes I got the blue screen of death, and the computer restarted. When it came back up, the same thing happened, attempted access to sites, and then blue screen and restart.

Attempted fixes:
(having a hard time getting logs for these, the computer stops working in normal or safe mode, and after a few minutes from starting it up, I cannot access any of these programs)

I can't get avast to run a scan (it says it's doing active protection, but that's it)
Log: 10/4/2011 SYSTEM 920 sign of "win32:Sirefef-O [Rtk]" has been found in "C:\Windows\2941388334:3522800976.exe" file.
Each restart, brings this running in the process tree, and I can't terminate it.

-AVG boot CD w/ updated definitions
Detected Win32/Heur virus
Detected Renosa-J [Wrm]
Detected Sirefef-O [Rtk]
Cleaned / deleted files for all (supposedly)
Current scans show no infected files

-Dr. Web CureIt (super long scan!)
Found 4 infected files and those were "deleted"

Reports the file "sbscrexe.exe" has a hidden rootkit virus

-Dr. Web Live CD
Errors loading it, so it wouldn't start.

Note: I cannot run DDS b/c of my computer being a server. I am happy to run any other scanners, etc. you need me to, just let me know!

Thanks for the help in advance, a lot of people are depending on this server (as usual I'm sure).


BC AdBot (Login to Remove)


#2 Zipline

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Male
  • Location:CA
  • Local time:10:17 AM

Posted 09 October 2011 - 12:01 AM

Not sure if anyone was working on this, but I just ended up calling McAfee Virus removal service, and they did a remote log-in and fixed it in about 5 minutes. Yay!
McAfee Virus Removal It was only $89.95 - I'm a big supporter now, and their service is guaranteed.

Edited by Zipline, 09 October 2011 - 12:05 AM.

#3 nasdaq


  • Malware Response Team
  • 40,224 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:17 PM

Posted 10 October 2011 - 12:54 PM

Hi I'm nasdaq

Can we close this topic?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users