I recently had to repair a computer that had a very bad problem. It had gotten the Win32:sirefef-ZT virus or malware. The system was running Malwarebytes and AVG anti virus. It knew it had the virus but failed to stop it entering and couldn’t remove it. I installed Avast anti virus on it and it couldn’t remove it either so I spent a lot of time on this forum finding out how to remove it and saw some pretty good programs posted in your help pages. I’m sure they helped to remove it. It took about 3 days to do so but the first thing you recommended running was Malwarebytes. This I don’t understand. It was present when the computer got infected and let it in. It also couldn’t do anything about removing it either. After many frustrating hours of trying to get rid of this I did what I should have done in the first place and what I always do. I installed “Spybot Search and Destroy” . It did one scan, one reboot scan and then I did a final scan with Avast and the Win32:sirefef-ZT virus and the Win32"sirefef-PL virus were gone never to return. I just don’t see why people think Malwarebytes is so fantastic and fail to recognize the brilliance of Spybot S&D. It is twice the program that Malwarebytes is. It’s not only great at removing malware and spybots but it builds a restricted site list in your browser to keep your computer from going to or linking to the sites that all this crap comes from. I think they currently protect you from over 19000 web sites that distribute malware and spybots. When you try this program and find it as useful as I do, please donate money to their cause. They do it for free and it’s on hell of a program.
By the way. I’ve religiously used Avast for quite some time and I deal with a lot of viruses. While I was working on this computer I opened my email and low and behold I had an email with the Win32:sirefef-PL virus and Avast caught it and kept it out. In my profession repairing computers I sometimes take hard drives out of other systems put into my own and scan and remove the viruses with Avast. It has always been able to remove them and never lets my computer get infected with the viruses it finds. It beats the hell out of Norton, AVG and MacAfee.
hey and welcome to the forum. please follow this guide and attach your logs
http://forum.avast.com/index.php?topic=53253.0.
the sirefef trojan is a nasty one and needs expert help to be able to be removed.
avast have just minimize the infection to get more server. that’s why you get the popup from avast.
a malware expert will guide you from there when you have attach the necessary logs.
update; i have sent a note to one of the malware expert here on the forum on your problem.
Read more carefully. I don’t have a problem. The problem was I used Malwarebytes. Once I used spybot I got it out of the system. Computer cured.
first…no security program have 100% detection
if you search the removal forums around the net…like majorgeeks / geeks to go / bleepingcomputer / and more…why do you think the first tool they try is Malwarebytes… and they all stopped using spybot years back
spybot update once a week…MBAM may have 10 in one day
That’s the problem. They stopped using it years ago but Spybot continued to evolve. I’ve dealt with viruses for years and I’ve seen spybot take out malware that Malwarebytes couldn’t… Malwarebytes also doesn’t build the restricted site list for your browser so you’re computer can’t go to the sites that host the spybots and malware. I tried all the stuff on this forum for days and spybot got it out in one scan. Maybe all the experts should go back and try it again. They might learn something.
I tried all the stuff on this forum for days and spybot got it out in one scan.to verify that, you should follow the guide her and attach a OTL log and let Essexboy have a look inside
Hah! Glad you like avast! but please take a note of the statement in my below signature
P.S. Agree,avast! is a great prevention solution.
I would be intrigued to see how spybot took out sirfef, as malwarebytes can’t. Nor can any AV. The only two that I know of that will are RogueKiller and Combofix although sometimes TDSSKiller will get it
The reason that malwarebytes is the first tool to run in the help thread is that it will remove all the “normal stuff” and the OTL log will determine what remains and what would be the most appropriate tool to use next
Also with IE8 and 9 there is an integral block list which negates the requirement for a host list with 2000 entries
Well I followed your guide and used roguekiller and OTL (excellent programs). I also ran the other programs and they cleaned out a lot of garbage but it all kept coming back. Then I installed Spybot S&D and scanned and cleaned with it then let it run the boot scan. It wiped out a lot of invalid cab files that I think were being used to regenerate the sirefef-ZT and sirefef-PL. After it was done running I used Avast AV and ran another scan alone with roguekiller and OTL. They were able to take out the sirefef-PL. Everything I had tried to that point seemed to work until you rebooted and it was all regenerated again but the Spybot S&D seemed to stop the regeneration. One theory on that is that it builds a restricted site list in your browsers that keeps them from accessing the hosts of most of the malware and spybots. This might have been instrumental in stopping the regeneration of the problem. I’m not dissing Malwarebytes. I’ve used it before but I think a lot of people overlook the value of Spybot S&D. I’ve had very good results with it’s removal process and I love putting it on people’s computers that are horrible at updating programs. Even if it isn’t upgraded often the restricted site list helps block a lot of malware. If you’re browser can’t go there, you can’t get it. I realize most people don’t directly go to the site but the embedded links in the websites they go to redirect you to the sites with the malware and spybots invisibly.
After it was done running I used Avast AV and ran another scan alone with roguekiller and OTL. They were able to take out the sirefef-PLOTL does not take out anything.....it will produse a diagnostic log.....and from that log the removal experts will create a script that will instruct OTL what to remove..... Do you know how to do that?
if not you need to attach the OTL logs here so Essexboy can make that script…if he see anything that need to be fixed
Even if it isn't upgraded often the restricted site list helps block a lot of malware. If you're browser can't go there, you can't get iti use openDNS for that ;)
I already had the script for. OTL. I do use OpenDNS but I was touting Spybot S&D as a tool for removal and to give to my clients that don’t use OpenDNS. I read a lot on the interent about people not being able to get rid of Sirefef. I read a lot on your forums. I tried your tools and still had it. Instead of sending in my log files and waiting for a response I kept trying the tools I use.
All I was trying to do in this post was inform you of what I found that would remove it. I’ve now run a lot of scans and it is gone. I can see now that I’m pretty much wasting my time. You’ve all found your own cures. I’ve learned about some new programs and I thank you for that. In my 20 years of repairing computers I’ve removed thousands of viruses, malware and spybots but I’m not in your league as far as knowledge goes but I do know a few tricks. Just thought I’d pass one on. Like someone said, there is no cure-all for this stuff unless you line up all that hackers against a wall in front of a firing squad. You just have to keep trying stuff and find what works. I was fortunate enough to fix computers for a real estate agent that got about 4000 emails a day, was on every spam list in the world, wouldn’t update computers, let employees turn off the virus protection and I learned how to keep most of it out of her systems and clean up the rest.
It wiped out a lot of invalid cab files that I think were being used to regenerate the sirefef-ZT and sirefef-PLThese would be inactive until such time as a programme opened them, they do not open by themselves
A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files that are copied to the user's system. A large compressed file can be spread over several .cab files.For a number of years, Microsoft has used .cab files to compress software that was distributed on disks. Originally, these files were used to minimize the number of floppy disks shipped with a product. Today, .cab files are used to reduce the file size and the associated download time for Web content that is found on the Internet or on corporate intranet servers.
One file in the cabinet is typically an information (.inf) file, which provides further installation information. The .inf file may refer to files in the .cab as well as to files at other URLs.
Also any information that would help me remove this stuff I gladly use, but this is one case where I have never seen it do any good at all
DUH. I’m not an idiot that needs to be explained what a cab file it but what a perfect place to hide files so a program could run and extract command. Cab files are many times protected system files that can’t be deleted. What a perfect place to hide a virus. There was a whole directory of corrupted cab files. There were also several infected .klm files.
Originally it wasn’t just a sirefet-zt virus. When I started this whole process I cleaned out 12 viruses or malware and about 36 corrupted files. Then they regenerated and there were only 8 viruses the second time and the same 36 corrupted files I’d deleted the time before. That was the problem. They kept regenerating time after time even after running roguekiller the first time. Spybot was the one that stopped them from regenerating so I guess they weren’t viruses as much as just plain deadly malware. But in my book it’s a virus not malware.
here is a good post from the spybot forum.
http://forums.spybot.info/showthread.php?t=66271
even they say you should use other guide then spybot.
Usually I do not like to write in these kind of topics but this somehow I could not bypass. ;D
Maybe all the experts should go back and try it again. They might learn something.This word forced me to write a few words. Yes, I always want to learn something new, but when I carefully examined this topic...
@obwhon58
If I understand, now we just discuss about ZeroAccess rootkits and software that are currently able to remove it and disinfect ZA related(patched) files?
Before we continue you need to understand difference between active malware and inactive malware (which there are re-infection possible)
It took about 3 days to do so but the first thing you recommended running was Malwarebytes. ... I just don't see why people think Malwarebytes is so fantastic...
Because Malwarebytes is as you said “so fantastic”
First, I’ll write a few thinks for Malwarebytes.
Mbam use powerfull low level driver ( anti-rootkit driver look like ) to locate hidden files and uses some special search techniques and heruistic which enable it to detect a a good part of the world wide malware including active rootkits allow him so much force power that allow MBAM to realy kill and delete ( exterminate ) by ~90% of the active malware. When I say active malware, we must know that all malware uses various tricks to protect it from being deleted.
MBAM uses his heuristick to detect malware file / entries… In simple translation, all files that are not in place and could use some known methods of abuse, it will be checked by MBAM.
( you may read this topic if you will. link
Also, please read Interview with Malwarebytes’ founder, Marcin Kleczynski)
After reading these two links, maybe you can understand why many of the world wide helpers recommend softwere named malwarebytes anti malware.
... and the Win32:sirefef-ZT virus and the Win32"sirefef-PL virus were gone never to return.How you know that for shure? As I understand you're using varius scanner that will search your system for them known malware files and try to remove. How do you know that you just deleted a some loading point of a malware? Maybe the configuration files are still there? Changes in the system that has been made by the ZeroAccess rootkit is still there? ZA patch some legitimate Windows core file, that can not be "cured" so easy. And as far as I know, the classic tools do not want to play with windows patching files because they can easily cause the system to dropstop. So, how do you know that your services.exe is legitimate one or it just waiting for the opportunity to again try to activate the infection?
There are so many things that needed to be checked, I just want to say that without a proper diagnosis is not possible for the system to claim as clean mashine.
The only thing is that you can assume that malware is not active any more.
It's not only great at removing malware and spybots but it builds a restricted site list in your browser to keep your computer from going to or linking to the sites that all this crap comes from. I think they currently protect you from over 19000 web sites that distribute malware and spybotsSpyBot make changes to the hosts file that will block access to certain sites as far i know. I think it does not do anything more than that, but at some my opinion, it is an outdated method of protection.
When you try this program and find it as useful as I do, please donate money to their cause. They do it for free and it's on hell of a program. ... but I think a lot of people overlook the value of Spybot S&D.To be sure we all understand eachother, and I do not want to be misunderstood ... I completely agree with you in this one. I have no doubt that Spybot is phenomenal sotwere. I Agree... ;) I'm just stating facts
Malwarebytes also doesn't build the restricted site list for your browser so you're computer can't go to the sites that host the spybots and malware.Are you shure? :) http://www.malwarebytes.org/products/malwarebytes_free/
But in my book it's a virus not malware.
And what is a malware? What all comes under the “malware” terms?
http://en.wikipedia.org/wiki/Malware
To stop the note in the discussion, I’ve done a little test. ;D
I’ve down&run SpyBot my test machine where I have active ZA loading points runnning of this rootkit and all configurations files are there. Windows core file where not patched by ZA rootkit becouse i’ve not reboot masine.
SpyBot did not find any of ZA loading points in my case. When I had more time, maybe I will done a better (one more ) testing with more accurate but for now…