9 replies to this topic

[ryackx]

I have the following problem....virus.win32.sirefef.r (v)....Adaware will not remove it and I was wondering if anyone could tell me of a free tool to remove it or detailed instructions on how to manually remove it.

[CeciliaB]

Hi ryackx,

Please, follow the instructions in the topic Read This Before You Post!.

[ryackx]

sorry was a bit distracted that night...

Attached Files

•  DDS1.txt   26.79K   85 downloads

[CeciliaB]

You should have the computer connected to internet as little as possible, since it maybe tries to contact other computers on internet to, for example, download more malicious files.

1. Please, paste the content of logs into your answer instead of attaching them, if I don't ask you to do otherwise. But now I would be glad if you could attach the other log file from DDS, Attach.txt.

2. In the C:\ProgramData\Lavasoft\AntiMalware\History\ folder Ad-Aware stores all scan logs, their names are the date and time when the scan was done. Please, open one of the logs where Ad-Aware detects win32.sirefef.r(v) and paste its content into your answer.

3. Please, follow the instructions on http://www.bleepingc...to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.

[ryackx]

<?xml version="1.0"?>
-<SBCSThreatEngineResults version="5.0.5116">-<summary cleanerAborted="false" scannerAborted="false" threatDefinitionVersion="12630" scanDescription="0 - Quick, 0 - Manual" scanGUID="{D8B5B7CA-5DCF-4DD0-94B7-BB69F0C1A191}">-<scannerResults><numThreats ignored="0" found="1"/><numTracesScanned total="29899" MBR="0" hookCodeSectionRing3="0" hookCodeSectionRing0="0" hookDevice="0" scanSysEnter="0" hookIDT="0" hookIAT="0" ntosExport="0" ntdllExport="0" ssdt="0" sysModules="0" threads="0" procMemory="0" procModule="0" archives="0" processes="54" folders="0" files="0" registry="29844" cookies="1"/><numTracesFound total="1" MBR="0" hookCodeSectionRing3="0" hookCodeSectionRing0="0" hookDevice="0" scanSysEnter="0" hookIDT="0" hookIAT="0" ntosExport="0" ntdllExport="0" ssdt="0" sysModules="0" threads="0" procMemory="0" procModule="0" archives="0" processes="1" folders="0" files="0" registry="0" cookies="0"/><dateTimeStampUTC end="2012-08-14T15:33:19" start="2012-08-14T15:31:23"/><errors/></scannerResults>-<cleanerResults><numThreats ignored="0" total="0" reportonly="0" quarantined="0" deleted="0"/><dateTimeStampUTC end="" start=""/><errors/></cleanerResults></summary>-<scannerOptions scanSysEnter="true" hookIAT="true" ntosExport="true" ntdllExport="true" ssdt="true" scanMBR="true" scanCodeSectionRing3="true" scanCodeSectionRing0="true" scanDevice="true" scanIDT="true" scanSystemModule="true" scanProcessMemory="true" scanRootkits="true" scanDerivatives="false" scanVipreSuspicious="false" minCheckFileLen="0" maxCheckFileLen="6291456" keepScanRecord="true" findLowRiskThreats="true" recursiveFileScan="false" scanKnownFileTypes="false" scanArchives="false" scanCommonTactics="false" dontCalcCRC8="false" useFileNameAndCRC8="true" scanAllUsers="false" suspendActiveThreats="true" scanProcessesDeep="false" scanRegistry="true" scanProcessThread="true" scanProcesses="true" scanCookies="true" scanFiles="false" excludeRemovableDrives="true" scanAllLocalDrives="false"><userIncludedPaths/><userExcludedPaths/><ignoredThreats/></scannerOptions><cleanerOptions/>-<threats>-<threat cleanerResult="-1" actionRequested="-1" optionalScan="0" author="" canQuarantine="true" adviseType="3" quarantineId="" type="Virus" CategoryID="52" category="Virus.W32" level="2" name="Virus.Win32.Sirefef.r (v)" id="4758412"><authorURL/><desc>A Virus is a piece of malicious code that has the ability to replicate itself and invade other programs or files in order to spread within the infected machine. Viruses typically spread when users execute infected files or load infected media, especially removable media such as floppy disks or CD-ROMs. Viruses can also spread via email through infected attachments and files. Most Viruses include a "payload" of some sort. Some "payloads" are merely annoying and disruptive; other "payloads" may damage software and data on a computer or even the computer hardware itself.</desc><threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails><customData/>-<traces>-<trace type="2" dispValue="568, C:\Windows\System32\services.exe"><attr v="568" n="pid"/><attr v="C:\Windows\System32\services.exe" n="procPath"/><attr v="1" n="imageType"/><attr v="33CC47D31E1A0000" n="crc8"/><attr v="014A9CB92514E27C0107614DF764BC06" n="md5"/><attr v="8" n="detectionType"/></trace></traces></threat></threats></SBCSThreatEngineResults>

Attached Files

•  Attach.txt   8.54K   67 downloads

[CeciliaB]

You have a serious rootkit infection. It can be difficult and time consuming to remove it, and it probably is faster to reinstall Windows.

Have you been able to run ComboFix?

[ryackx]

I actually tried to install combo fix and something prompted me to restart when I did had a blue screen with a bunch of stuff taking about error's had to do some sorta window's fix and I belive it did a system restore of some sort but now the virus is gone combofix is no longer on my computer and well it was really wierd and odd to be honest...needless to say I have no clue as to what I did or how I did it but the problem seems to be gone Ad-Aware hasn't found anything in it's scans other than 1 trojan that it placed in quarentine so we'll see what happens in the next few days I guess....

[ryackx]

also Thanks a Ton for the help that you did give me on this because even though I'm not sure what we did your the real reason it's fixed

[CeciliaB]

You are welcome

Unfortunately a system restore isn't a safe way to get rid of a rootkit. Even if Ad-Aware doesn't find anything, there might be malicious files in the computer since no antivirus programs finds everything.

You also have a setting in Firefox that makes Firefox using the bad conduit search and old program versions with vulnerabilities that makes it easy to infect the computer.

Please, let me know if you want any further help.

[CeciliaB]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !