Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with sirefef.ah and sirefef.r after Live Security Update - reboots every minute


  • This topic is locked This topic is locked
22 replies to this topic

#1 Archeologist

Archeologist

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 27 July 2012 - 11:41 AM

Hello,

Yesterday my PC was infected with the Live Security Virus. It's an HP desktop running Win Vista Home Premium.

I was able to download AntiMalwarebytes and run it to remove the Live Security Virus.

Afterwards MSE would not run, so I uninstalled it, and reinstalled.

After rebooting, MSE detected the sirefef.ah and sirefef.r viruses, but before it can clean them the PC gives a warning that it had a critical error, and will restart in a minute. It then restarts.

I tried downloading TDSSkiller only a flash drive on this PC (my laptop), plugged it into the infected PC and ran it, but it didn't find anything. Sure enough, it then shut down again.

MSE will detect the viruses, but doesn't have enough time to deal with them.

I'd love some help! What should I try next?

Thanks!
Ian

BC AdBot (Login to Remove)

 


#2 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 27 July 2012 - 06:54 PM

Ignore this for now, I've taken the PC into a local shop. I just don't have the time right now to figure this out on my own. I will post any solutions they tell me.

Thanks anyway, I'll be back for other issues I'm sure!

Edited by Archeologist, 27 July 2012 - 06:54 PM.


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 28 July 2012 - 10:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 03 August 2012 - 04:47 PM

This topic has been re-opened at the request of the person who originally posted.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 03 August 2012 - 04:49 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    netsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 03 August 2012 - 10:00 PM

Quick update. I have 2 hard drives on this PC, as I closed the 300 GB drive when I installed the 1 TB drive (the infected drive). So I'm working off the old drive, which is virtually identical just a few months out of date, and obviously not infected. I figured I'd try the software here first, then boot to the other drive and run it there.

But when I downloaded OTL.exe to my desktop and try to run it it gives me an error message:

"The NTVDM CPU hass encountered an illegal instruction.
CSe700 IP.o1cf OP:63 8d 1b 92 a9 Choose "Close" to terminate the application."

aswMBR.exe ran successfully.

What should I do about OTL?

Thanks!
Ian

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 04 August 2012 - 12:26 AM

Hi,

Please boot the infected drive and try running it from there.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 August 2012 - 10:36 AM

I booted from the infected drive, downloaded the two files, and tried to run them.

I only get about 3 minutes max before the PC reboots again, and for part of that time it's booting and won't run anything.

OTL.exe does not complete in time.

aswMBR did complete. Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-04 08:32:06
-----------------------------
08:32:06.046 OS Version: Windows 6.0.6002 Service Pack 2
08:32:06.046 Number of processors: 2 586 0xF02
08:32:06.046 ComputerName: HPDESKTOP UserName: Ian
08:32:19.696 Initialize success
08:32:23.471 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:32:23.471 Disk 0 Vendor: ST310003 SD1A Size: 953869MB BusType: 3
08:32:23.471 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
08:32:23.471 Disk 1 Vendor: ST332082 3.AH Size: 305245MB BusType: 3
08:32:23.486 Disk 0 MBR read successfully
08:32:23.486 Disk 0 MBR scan
08:32:23.486 Disk 0 unknown MBR code
08:32:23.486 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 925361 MB offset 63
08:32:23.518 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 28505 MB offset 1895139855
08:32:23.533 Disk 0 scanning sectors +1953520065
08:32:23.564 Disk 0 scanning C:\Windows\system32\drivers
08:32:30.335 Service scanning
08:32:42.206 Modules scanning
08:32:44.437 Disk 0 trace - called modules:
08:32:44.437 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
08:32:44.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8676a370]
08:32:44.453 3 CLASSPNP.SYS[8bfa18b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85ceb030]
08:32:44.468 Scan finished successfully
08:32:50.880 Disk 0 MBR has been saved successfully to "C:\Users\Ian\Desktop\MBR.dat"
08:32:50.896 The log file has been saved successfully to "C:\Users\Ian\Desktop\aswMBR.txt"


Should I shorted the time value in OTL to see if it completes?

Or is there any way to manually stop the reboot? I've tried shutdown /a in the past with no luck.

Also, I am running in safe mode with networking and it still has the issue.

Thanks again!
Ian

Edited by Archeologist, 04 August 2012 - 10:45 AM.


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 04 August 2012 - 04:53 PM

Let's try a different approach;

Posted Image For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

If your OS is 64 bit download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Please include the following in your next post:
  • FRST.txt log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 05 August 2012 - 07:03 PM

OK, I'm trying to make a system recovery disc, all I currently have our the HP recovery discs I made a few years ago, and they don't have the options listed above. I'll report back when I get the recovery discs made and the above instructions completed.

Bleeping computer is right. Sigh....

#11 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 August 2012 - 01:18 AM

Feeling more and more like and idiot.

I downloaded a vista recovery tool from here:
http://systemdiscs.com/?utm_source=neosmart&utm_medium=article&utm_campaign=Vista_64_Recovery

But it appears to be Linux based.

When I use it to launch a command line, none of the commands you asked me to run work.

Do you know where I can find a real Windows recovery disk? I have the official disks that came with my HP Pavilion, but they don't offer the repair options. I thought this would.

I can see the file FRST.exe on the USB drive, I just can't figure out how to run it. Any ideas on how to run it, or do I need to find a Windows recovery disk?

Thanks again,
Ian

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 06 August 2012 - 01:52 PM

Did you check to see if the Advanced Boot options were already available by tapping f8 while starting the PC?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 August 2012 - 01:57 PM

I did, but it tells me that I need the recovery CD. The recovery CD's I made back in 2008 were the HP version that wipes you back to square 1. Everything I searched for online pointed me to the Neosmart discs, but they never mentioned they were Linux based.

If you know where I can find a Visa recovery disc online that's windows based I'll grab it. Or I will try to figure out how to execute that file through Linux.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 06 August 2012 - 01:59 PM

Let me do some checking - I'll be back with you later this evening.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Archeologist

Archeologist
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 August 2012 - 02:08 PM

Thanks again, I really appreciate the help.

Luckily we have the second hard drive in the PC that still works, so we're using that to use Windows Media Center. This PC is primarily used as a TV, but also contains lots of photos, kids videos, etc. so I'd still like to fix it rather than wiping it clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users