Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sirefef infection


  • Please log in to reply
10 replies to this topic

#1 ryanwills

ryanwills

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 03 June 2013 - 04:53 PM

Hello all, thank you for taking the time to read my post.
My eset antivirus detected a variant of sirefef, so I deleted it. Obviously its not that easy. All of a sudden my antivirus was corrupt and I need to reinstall. Try to reinstall, and for some reason it has been removed completely. I looked for a solution, and yorkyt.exe seemed easy enough for what I needed, so I followed the easy steps. First reboot fine, tells me it found a bad driver and replaced it. Second reboot, I get the blue screen. Now I can't start up normally. I have a yorkyt.exe log on the desktop, telling me it replaced adf.sys and added it to md5s. I don't really know what some of this means, and am hoping someone here can fix what I've done.
Thanks again

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:13 PM

Posted 03 June 2013 - 05:55 PM

Hello -

That yorkyt.exe file on your desktop belongs to Panda Security and is used to disinfect Trj/Sirefef and Rootkit/ZAccess (if it's the same one). Open it to check.
http://www.pandasecurity.com/enterprise/support/card?id=1672&idIdioma=2

 

Download Screen317Security Check from Here and save it to your Desktop.

* Double-click SecurityCheck.exe

* Follow the onscreen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt;

* Please Copy / Paste the contents of that document back here.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE (or any similar file) access the Internet, allow it to do so.

NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.

 

Next: Please download Malwarebytes AntiMalware to desktop.

Check for updates if not done during download and run a Quick Scan only.

You can check "Remove" for any infections found, and the program may ask you to Reboot if several infections are found.

Please Copy / Paste the Report log back here when completed.

 

Next: Please download SUPERAntiSpyware to desktop.

Check for latest updates if not done during the download.

You can check "Remove" for any infections found, and the program may ask you to Reboot if several infections are found.

Run a Quick Scan only and Copy / Paste the Report log back here when finished -

 

Thank You -

 


Edited by noknojon, 03 June 2013 - 05:56 PM.


#3 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 03 June 2013 - 08:57 PM

Sorry, I should specify that I can only boot in safe mode. Am I still going to be able to install these programs? I haven't actually tried safe mode with networking, but I'm guessing it doesn't make a difference?

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:13 PM

Posted 03 June 2013 - 09:28 PM

Try safe mode with networking (it should download them).

Our scans may not be as good, but we may get something

 

Thanks -



#5 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 June 2013 - 02:45 PM

Testing
Computer will not boot in safe mode with networking. Downloaded programs from phone to sd card, took out sd card and ran programs from there.

Edited by ryanwills, 04 June 2013 - 05:10 PM.


#6 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 June 2013 - 02:55 PM

I apologize for the separate posts, my only means of communication is my phone, and I can't send the logs all at once for some reason

Results of screen317's Security Check version 0.99.64
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
ESET Smart Security 4.2
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java™ 6 Update 31
Java™ SE Runtime Environment 6
Java version out of Date!
Adobe Flash Player 11.7.700.202
Adobe Reader 10.1.6 Adobe Reader out of Date!
Google Chrome 26.0.1410.43
Google Chrome 26.0.1410.64
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

#7 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 June 2013 - 03:15 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/04/2013 at 03:38 PM

Application Version : 5.6.1020

Core Rules Database Version : 10483
Trace Rules Database Version: 8295

Scan type : Quick Scan
Total Scan Time : 00:06:38

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 290
Memory threats detected : 0
Registry items scanned : 30371
Registry threats detected : 6
File items scanned : 6804
File threats detected : 7

PUP.MyWebSearch/FunWebProducts
HKLM\SOFTWARE\FunWebProducts
HKLM\SOFTWARE\FunWebProducts\Installer
HKLM\SOFTWARE\FunWebProducts\Installer#Dir
HKLM\SOFTWARE\FunWebProducts\Installer#PluginPath
HKLM\SOFTWARE\FunWebProducts\Installer#sr
HKLM\SOFTWARE\FunWebProducts\Installer#pl
C:\Program Files\FunWebProducts\Installr\1.bin
C:\Program Files\FunWebProducts\Installr\2.bin
C:\Program Files\FunWebProducts\Installr\3.bin
C:\Program Files\FunWebProducts\Installr\4.bin
C:\Program Files\FunWebProducts\Installr
C:\Program Files\FunWebProducts

Trojan.Agent/Gen-Nullo[Micro]
C:\WINDOWS\CSUP.TXT

#8 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 June 2013 - 03:25 PM

Okay apparently its something about the Mbam log that won't let me post it to the forum.

#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:13 PM

Posted 04 June 2013 - 05:37 PM

Hi -

The SUPERAntiSpyware log is not complete. This may be due to the infection.

It is odd that you are not able to post the MBAM log, but the SAS log posted (within reason). FunWebProducts was the only major problem listed as removed.

 

As you can read from the Security Check log, your security programs have been hit, and have not updated.

Did you get any items removed with the MBAM scan, or was it a clean (nothing found) result ?

 

 

 

If the problem still exists and you are not able to post the scan results, please post in Malware Removal area (See below)

 

Please read the Preparation Guide from Step #6 and post a new topic, with the requested logs, in Malware Removal Logs Area for the Experts to help.

Even if you are not able to produce the requested logs, still post there, fully describe the problems, and leave a link to this topic if you can.

 

Thank You -



#10 ryanwills

ryanwills
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 04 June 2013 - 09:03 PM

Trojan fake alert and dtlite trojan agent
I told the program to remove them and it requested a restart, I did so , and then saved the log
I can't even copy the filenames without the website telling me to select a post when I hit reply.

#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:13 PM

Posted 04 June 2013 - 09:15 PM

Hi -

Please follow the links above and post in the Malware Removal Logs Area

It seems that you have a serious version of the infection, and the Experts will offer better help at this time.

 

I could offer you other similar tools, but I do not think they will run at this time -

 

Thank You -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users