Sirefef trojan problem

chipp · 3 June 2012 at 12:40PM

my desktop computer is stuck in a reboot loop due to this trojan, which I suspect propagates itself each time the machine reboots (so it's now off at the mains!). Even safe mode is infected. The problem started yesterday with "live security platinum" finding its way on to my computer (I suspect a website I visited to get maps for a holiday destination).

Since the PC doesn't stay on long enough to run any cleanup software, can someone give me step by step instructions (or point me at a post on this forum that does) for downloading whatever I need onto a USB stick and changing the boot order so it executes the downloaded cleanup software. Pretty please:). This is the first time I've ever had to deal with malware on my own computer and although I thought I had common sense, recent events have called that into question, hence my need for hand-holding.

santer_2 · 3 June 2012 at 12:47PM

One option

http://www.techmixer.com/create-bootable-kaspersky-usb-rescue-disk/

Others here which you can use to create a rescue CD

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

garynuman · 3 June 2012 at 12:53PM

Hi

There are a number of tools which could assist - one of the most flexible being Windows PE-based utilities such as "Bart PE". Once booted it can run an offline malware and virus scan. But tools such as this usually require technical expertise to get running (creating bootable ISO images, identifying and downloading drivers, etc.)

If you can start in SAFE mode and know roughly *when* you got the infection, you could try restoring to an earlier date using System Restore (via "Accessories, System Tools"). Assuming you run Windows of course!

If you're unable to start in Safe Mode however, this may not be possible.

Do you have the setup media? It may be quicker (and certainly more effective) to do an in-place repair of the O/S.

Best of luck

Gaz

chipp · 3 June 2012 at 1:13PM

Thanks Santer, unfortunately the clean computer I'm using to post here is only a little netbook with no optical drive, so anything I download will have to be onto a USB stick.

Garynuman - safe mode has the same problem. And although I do have a restore disk, I'm guessing that my trojan won't give me a chance to run it. Unless the normal boot order is optical drive then HDD - does anybody know? It's a 6 month old Acer and I've never gone into the BIOS settings but of course they may have been trashed by the trojan.

I seem to recall that the safe mode entry screen (which is as far as I can get before the "shutdown in 1 min" msg) has some sort of repair option at the top (above the three "safe mode" options so I could give that a whirl but I'm worried that switching the computer on again and blundering around in the dark might make things worse. Professional opinion anyone?

And if I do manage a system repair, I presume I then need to run malwarebytes etc, but at what point can I be confident it's clean? I thought it was yesterday after zapping "LSP" only to discover that this latest trojan was still lurking.

santer_2 · 3 June 2012 at 1:19PM

Looking at this, you should just need the iso file without needing to burn it to a CD

http://www.techmixer.com/create-bootable-kaspersky-usb-rescue-disk/

garynuman · 3 June 2012 at 1:31PM

Chipp

If you start in SAFE mode, you should get a dialog with a "Yes" and a "No" option.

The "Yes" option will lead you to the Safe Mode desktop (with "Safe Mode") in all 4 corners, the "No" option should take you straight to System Restore.

I believe that if you select "No", only services required by System Restore are started so you may "get away with it".

Worth a try ...

And if I do manage a system repair, I presume I then need to run malwarebytes
etc, but at what point can I be confident it's clean? I thought it was
yesterday after zapping "LSP" only to discover that this latest trojan was still
lurking.

System Restore will revert your system back to the state it was in at the date you specify. You will need to run MalwareBytes and do a full AV scan but I would recommend this anyway.

It is common for threats to "attach" themselves to services. If you can get the thing to boot do an SFC /SCANNOW at a command prompt too.

Gaz

garynuman · 3 June 2012 at 1:42PM

If it boots and then gives you 1 minute before restart message, have you tried doing a ..

RUN .. shutdown -a

This would normally abort the shutdown API and allow you to do diagnostics (such as System Restore). Unless the payload has other things in mind!

Gaz

chipp · 3 June 2012 at 1:43PM

garynuman wrote: »

Chipp
It is common for threats to "attach" themselves to services. If you can get the thing to boot do an SFC /SCANNOW at a command prompt too.
Gaz

I've tried the repair option above the 3 safe mode options and it says it can't complete the repair going back to 25th May (when I have every reason to think the computer was clean). There is a command prompt offered by this sub-menu, can you explain what you mean about SFC/SCANNOW please?

garynuman · 3 June 2012 at 1:53PM

SFC = SYSTEM FILE CHECKER

It is part of Windows which will detect any issues with system files (those in Windows\System32) and will replace any that are considered "potentially compromised".

Here is the lowdown ..

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_checker.mspx?mfr=true

You may be prompted for your Windows CD. Don't forget to run Windows Updates afterwards though as those files on your original media may be out of date and/or surpassed by later service packs.

Works with XP, Vista and 7.

chipp · 3 June 2012 at 2:07PM

Thanks Gaz, mine's a 64 bit machine, does this still apply?

garynuman · 3 June 2012 at 2:13PM

Yes. Indeedie!

Sirefef trojan problem

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free