Sirefef trojan problem

chipp

OK Gaz, it's running now (and not from safe mode as there has been progress of a sort).

When I closed the repair dialogue box the computer rebooted, so I took the opportunity to go into the BIOS settings and the boot order is
1 EFI device
2 HDD
3 CD/DVD
4 removable
5 LAN
does that seem normal?

I exited without saving any changes and the computer continued to boot, apparently normally. I got a dialogue box about successful restore as at 25th May (or words to that effect), as this is at odds with the earlier message I'm not convinced, however I shut it down and it didn't switch itself back on. As I said, progress

I'm unsure what order to do things in next and would appreciate advice. MSE is showing red (out of date) and computer is currently deliberately disconnected from the outside world. There have been a few win7 critical updates since 25th May. Should I get them before running malwarebytes or after? I can run malwarebytes from a USB but for windows updates I'll need to go online and my AV is out of date. Should I ditch MSE in favour of avast/avg/avira/adaware?

garynuman

Great! Sounds like you're making progress..

Firstly, the boot order looks fine. But this will have little or no effect on the issues you have reported. At this point, you could reprioritize the CD or USB device in the list should you need to boot from such media but probably not necessary now.

If the System Restore worked correctly, your documents and stuff should be intact but any programs (including the virus!) will have been lost. This would include files and registry entries. Probably explains why MSE is out-of-date too.

• Microsoft Security Essentials is a great piece of kit - it's actually a cut-down version of their commercial offering. No need to find a replacement. But, update the antivirus signatures now!

• Also, update MalwareBytes to the latest signature set

• Disconnect your PC from the Internet (or switch off your router).

• Run a FULL virus scan and a FULL Malware scan and note if any problems persist. Malwarebytes may report a few cookies as threats but you can noramlly disregard these.

• Run System Restore again to create a recovery point.

• Reconnect to the Internet.

• Run Windows Updates.

There really isn't much else you can do except run a few scans over the next few days but remember no AV software can find all threats and you should ensure you have contingency plan for such situations. I use Acronis Home which offers a comparable "System Restore" function WITH a boot disk so you don't need to boot to your O/S.
Hope this helps

Gaz

chipp

Hi Gaz

SFC found some files to replace, I think I counted 5 log files. I have shutdown and rebooted since and fingers crossed still OK.

I'm now about to start updating and running the security stuff in the order you suggest. Since you're saying to update MSE first I will download malwarebytes directly onto the desktop, rather than onto a USB stick via a different computer, please shout IMMEDIATELY if you'd advise against doing it this way.

garynuman

It shouldn't matter whether you download onto the PC or use another PC (though the latter is safest!).

Personally, I would take the risk of downloading it on your PC and then disconnect it before running the scans. But it's down to personal preference.

Best of luck

chipp

Hi Gaz
I reconnected the router to get MSE updates, it said it couldn't get all of them. Hopefully just because some require a previous one and a reboot first, like with windows update. I shutdown and disconnected router, then rebooted. MSE gave a msg about cleaning files and me not needing to take any action, horrible feeling of deja vu as that was what was happening yesterday (I was getting two of these info msgs then the 1 minute to reboot one). But I only got the one message, so hopefully legit, and computer has shutdown successfully. I shall now go back online and reboot to get the MSE update it couldn't get before, then shutdown. I'll download malwarebytes onto a USB stick (err on the side of safety) and report back each step of the way.

Thanks for taking an interest.

waddler_8

Combofix is currently the most effective way of dealing with Sirefef (aka ZeroAccess, Max++)

garynuman

waddler_8 wrote: »

Combofix is currently the most effective way of dealing with Sirefef (aka ZeroAccess, Max++)

Hmm.. Not used that before. May be worth a shot if OP is still having issues..

waddler_8

Technical analysis of ZA here: http://nakedsecurity.sophos.com/zeroaccess3/

chipp

Hi Gaz, Waddler_8
MSE says up to date but I clicked "check for updates" anyway and it says it couldn't get them because of an internet connectivity problem. Now I don't believe I have one this end but is it possible that the microsoft servers are being hit by a DOS attack or something even worse which I'd rather not contemplate?

Desktop currently switched off and disconnected from router.

Just about to start the MBAM download onto a USB stick (shiny, new, fresh out of the box so it ought to be clean!).

In view of Waddler_8's post about dealing with my particular little trojan (hysteria setting in, regarding it as an invisible friend), I've not clicked the link yet but at what point in my long list should I run combofix? And I don't think I want to scare myself with the ins and outs of this trojan but thanks for the link Waddler_8.

waddler_8

If you want, run combofix now. Good as MBAM is, the current engine can't deal with Sirfef very well - as can't most AV's.

Sirefef's an absolute pita as it messes with so many things. If you search the forums you'll see I've successfully used Combofix to remove it before.

First run of DDS to confirm Sirfef (should take 2-3 min).

Download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• When it's finished, DDS will open two logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)