Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Sirefef.AB and Trojan:Win64/Sirefef.P


  • Please log in to reply
60 replies to this topic

#1 Chó

Chó

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 June 2012 - 01:41 PM

Hi, I'm from Portugal and I'm getting frustrated because I can't remove this virus.

Microsoft Security Essentials is finding 2 files I can't remove when I reboot the computer. When I reboot, MSE continues to find those files.

I'm running Windows 7 Home Premium Edition 64 bit service pack 1.

Please help me!

BC AdBot (Login to Remove)

 


#2 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 June 2012 - 04:16 PM

Help me, please. I don't know what to do.

#3 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 11 June 2012 - 11:14 PM

Bemvindo ao Fórum, Chó!

There is a specialized tool that works well with this type of infection...
Before running it, need to find out some information from you:

Do you have the Repair your computer option in the
Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
If you do not have the option above, do you have a Windows Seven installation CD/DVD available?

And last, do you have a USB flash drive available, and do you have access to another computer?

Old duck...


#4 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 June 2012 - 04:27 AM

Yes, I have the Repair Your Computer Option and the USB flash drive available, but i don't have a Windows Sevem installation CD/DVD.

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 12 June 2012 - 11:57 AM

You have what we need, so let's press on...

You may want to print these instructions so you can have access to follow them.


Please plug a flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Now, since your Operating System is 64-bit, download Farbar Recovery Scan Tool 64-Bit
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

>>>Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter (remember what letter it is), click on it, and press: Open
[*]Close out of Notepad.
[*]Click the Command window.
[*]Type g:\frst64.exe, and press: Enter
Note: Replace the drive letter g with the drive letter of your flash drive!
[*]The tool starts and prepares to run. Follow the prompts.
[*]Click Yes to the disclaimer.
[*]Press the Scan button.
[*]When done, the program saves the FRST.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Back at the System Recovery Options, press: ShutDown[/list]
Please provide the FRST.txt, stored in the USB flash drive, in your reply.

Old duck...


#6 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 June 2012 - 01:42 PM

I'm having trouble when I want to open the file I saved in my flash drive.

It says "X:\windows\system32>" and then I can't open g:\frst64.exe, and G is the letter of my flash drive.

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 12 June 2012 - 03:29 PM

Did you download the FRST file to a clean computer, or to the infected computer?

Remove the downloaded file, and download a new copy.

Try removing whatever you have on the flash drive, and move FRST to it. Check what happens.

Try downloading FRST to the Desktop of the computer, and then move i to the flash drive

Old duck...


#8 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 June 2012 - 03:43 PM

I have downloaded the FRST file to a clean computer.
And my flash drive was empty until i moved the FRST file.

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 12 June 2012 - 03:53 PM

Can you replicate the issue you are having, and take a screenshot of the window showing it?

With the problem window to be captured on the screen...
  • Hold the 'Alt' key and press the 'Print Screen' key (often just labeled 'Prt Sc') on your keyboard.
  • Open the MS Paint image editing application under Start > Accessories
  • Paste the captured image into MS Paint.
  • Go to File > Save as, and save the image as a (.GIF) file on your Desktop (easy to find)
Next:
  • Go to Tiny Pic
  • Use the Browse... button to navigate to the image you already prepared.
  • In File type, check/tick: Image
  • In the Choose File to Upload prompt, select the image to upload by clicking on it, and pressing: Open
  • In the TinyPic screen, press: Upload
  • In the next screen, copy: IMG code for Forums and Message Boards

Please paste the TiniPic link provided in your reply.

Old duck...


#10 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 12 June 2012 - 04:12 PM

http://i49.tinypic.com/2weyjwp.jpg

This is what happens when i open the Command Prompt.

#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 12 June 2012 - 07:04 PM

At X:\Windows\System32\>, can you type anything after it, or is it showing some sysmbols/numbers/punctuation marks?

If you are able to type, try the following:

1. At the Command prompt X:\Windows\Sytem32\>, type notepad and press: Enter
In Notepad, under the File menu select: Open
Double-click Computer. Do you see the local disk (normally C:\) there?

2. At the Command Prompt, at X:\Windows\System32>,type: diskpart
Press: Enter
When the prompt changes from X:\Windows\system32> to: diskpart> , type: list volume
The command lists all volumes recognized, and their corresponding drive letter assignment.
Is G:\ listed there?
To go out Diskpart, type: exit


3. At X:\WIndows\System32\>, can you change to drive g:\ using the following command, and pressing Enter:

cd /d g:\


4. If the above works, at g:\> type: frst64.exe, and press: Enter
What happens when you type this? Need to know the exact error or anything that happens on the screen.



If problems persist, restart the computer, and do the following:

Please download Listparts64
Save to the Desktop
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the Result.txt in your reply.

Edited by Aaflac, 12 June 2012 - 09:51 PM.

Old duck...


#12 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 13 June 2012 - 05:00 AM

I can change to drive g:\ but when i type frst64.exe and press Enter i get this error:

The file or directory is corrupt and non-readable. The file or directory \frst64.exe is corrupt and unreadable. Please Run the Chkdsk utility.

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 13 June 2012 - 10:51 AM

You need to remove FRST from the flash drive, download a fresh copy of FRST to the flash drive once again, and try it the instructions.

Try using Internet Explorer to download, if that is not what you are doing.

Old duck...


#14 Chó

Chó
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 13 June 2012 - 01:01 PM

Now it says that g:\FRST64.exe isn't a valid Win32 application.

I don't know if this is related to the OS, but I'm sure that mine is 64-bits.

Edit: By the way, my computer is becoming slower.

Edited by Chó, 13 June 2012 - 01:04 PM.


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:23 AM

Posted 13 June 2012 - 01:22 PM

To find out if the system is 32-bit, or 64-bit...

Go to Start > Control Panel
Type system in the Search Control Panel box (upper right)
Under System, look for: System type
It states either 64-bit Operating System, or, 32-bit Operating System
Please provide the result.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users