Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef


  • This topic is locked This topic is locked
11 replies to this topic

#1 Craig55

Craig55

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 05 August 2012 - 02:26 PM

My laptop gets the message "windows has encountered a critical problem and will restart automatically in one minute". It reboots then I recieve the same error and it reboots again. MSE detects Sirefef and tries to clean it but my laptop reboots before it can finish. The problem still occurs in safe mode. I'm running on Vista 32 bit.

I tried using dds but it restarts before it finishes

When I use GMER it finds a rootkit and then asks for a full scan. I tried the full scan but it doesn't finish in time. So I saved the shorter scan.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-05 10:59:23
Windows 6.0.6002 Service Pack 2
Running: 1lu6v0b0.exe


---- Services - GMER 1.0.15 ----

Service C:\SystemRoot\System32\Drivers\603e50a8ba9f265e.sys (*** hidden *** ) [BOOT] 603e50a8ba9f265e <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by Craig55, 05 August 2012 - 05:51 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 06 August 2012 - 05:37 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Craig55

Craig55
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 August 2012 - 06:39 PM

Is there an alternative fix? I don't have that option or an installation or recovery disc.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 06 August 2012 - 06:46 PM

try this:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Craig55

Craig55
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 August 2012 - 07:00 PM

what if my laptop restarts while combofix is running?

edit: i meant to say what if combofix doesn't finish in time due to the nature of my problem?

Edited by Craig55, 06 August 2012 - 07:06 PM.


#6 Craig55

Craig55
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 August 2012 - 07:22 PM

I ran combofix but after it backed up files it stopped. Should I run it again?

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 06 August 2012 - 07:32 PM

disable MSE (or uninstall it) that will temporarily stop the rebooting

try ComboFix in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Craig55

Craig55
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 August 2012 - 08:45 PM

First I disabled MSE and my laptop still rebooted. It took me few tries but I managed to uninstall MSE. I tried combofix in safe mode but a blue window pops up and disappears instantly and nothing happens after that.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 06 August 2012 - 09:07 PM

Try this:

Kaspersky Virus Removal Tool

Download the tool from here and save it to your desktop

Double click the set up icon to install it > click Run >

(Vista/win7 users > right click > run as administrator)

Select your language > follow the steps in the wizard to install it. (This will take a few minutes to install)

In the Autoscan window, make sure there is a check mark beside the following:
  • Hidden Start-up objects
  • System Memory
  • Disk Boot Sectors
  • Local Disk (C:)

Click the "Start Scan" button

Allow it to remove any threats (choose the "select this option for all items")

This scan will take quite a while.

Once the scan has completed > select the report button > choose "save" > post the content of the report in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Craig55

Craig55
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 August 2012 - 11:03 PM

I had trouble installing from normal mode. So I installed it in safe mode. Is it okay to scan in safe mode?

Edit: So I finished the scan and now my laptop won't boot up.

Edit2: Thank you for the support. I've decided to restore my laptop to factory settings. So you can close the thread.

Edited by Craig55, 07 August 2012 - 06:04 AM.


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 07 August 2012 - 07:38 AM

ok, you machine was badly infected with a rootkit, so it was probably the best thing to do.

good luck

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:58 PM

Posted 07 August 2012 - 07:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users