Ok guys I have serious security problem here and I need your help quickly
A friend of my friend in my xfire account just gave me a link to a video file
He told me its a trailer
I opened the link and it asked me to update my flash player and gave me download link
And I made the terrible mistake of opening the link and downloading the file ( I know, but I trusted that ) I think you know the rest
When the download completed I quickly noticed that I made a terrible mistake
The downloaded file icon (which was on desktop) vanished after a second
I’m no idiot so I quickly went to control panel to check my firewall then I saw it was fully disabled and I wasn’t able to turn it on, then I checked my anti virus (eset smart security 4) and the same had happened to it , it was fully disabled, so I quickly turned off the router and started a full in dept computer scan(scan still works)
Please help me! What should I do ? right now im using another computer
And here is that link to the corrupt flash player don’t download if you don’t know what your doing itll disable antivirus and firewall very quickly
http://tube2.uk.to/?id=0&watch=b8d0q7#
WARNING: don’t go if you don’t know what your doing!
just finished scanning, the anti virus found this very Suspicious file that required system reboot to clean
Operating memory> c:\Windows\assembly\GAC_32\Desktop.ini
after restart it asked for reboot again so i assume this file cant be easily removed so i didnt reboot again
also after restart i noticed a new process in my task manager named
Foaebij.exe
which i Terminated
just removed eset & downloading avast now, will install az soon az downloaded
I need some professional help !
Thank you and please answer me as quickest as possible.
any help would be appreciated
Hello.Did avast detect anything?Any virus?Could you give us the exact name of the virus and the location?
hi,download isnt completed yet,(slow internet connection on this computer)
ps:i tried entering safe mode to see if i can do an thing from there , but it gave a blue screen of death error 30 sec after start up , dont know if this is caused by this file
i also remember the warning of eset it was a sirefef.w trojan (about the desktop.ini file)
Win32/Siseref is a torjan which is using rootkit techiniques.Siseref it know for causingredirects results of online search engines to web sites that contain adware.
This is a nasty virus and i wouldn’t like to assist you in cleaning this virus,to avoid any accidents(forgive me).
Please follow the guide here and post your Logs(mbam and OTL).Essexboy is notified,he’s an expert and he is the one who is going to help you.
Have a nice day from me ;D
thanks for reply,
update:
i am now unable to enter my windows 7 (dont know the reason,probably the virus)
luckly i have windows xp installed on the infected computer as well,
anything to do from there?
windows start up repair is running , waiting for possible results(or none at all)
update:no results still unable to enter win7
U may want to try this:
Download Dr Web from here Fill in the small form and download
http://www.freedrweb.com/download+cureit+free/?lng=en
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the full scan allow it to cure all infections found.
Once finished it will generate a log please attach that log here.
WARNING:Do not delete any files under this infection as this may regard your pc not bootable…this is backdoor maxplus 90 infection.
guess i know the reason why my win7 doesnt boot now,
not even in safe mode
win xp eset smart security found 4 threats all named something around sirefef.w but quickly removed them, restarted the pc and they arent in log or quarantine to be seen again(didnt even ask for my permission to restart,they were all in infected windows drive)
what should i do now?
they arent even in the quarantine to be restored
and here is log of scanning the infected drive from malwarebytes anti-malware software in win xp(since win7 is completely out)
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275742
Time elapsed: 23 minute(s), 37 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) → No action taken.
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) → No action taken.
D:\System Volume Information_restore{91CF95DC-9968-4480-A6B4-0B63CBB781D2}\RP48\A0002533.exe (RiskWare.Tool.CK) → No action taken.
D:\System Volume Information_restore{91CF95DC-9968-4480-A6B4-0B63CBB781D2}\RP48\A0002534.ini (Rootkit.0Access) → No action taken.
D:\System Volume Information_restore{91CF95DC-9968-4480-A6B4-0B63CBB781D2}\RP48\A0002552.exe (RiskWare.Tool.CK) → No action taken.
D:\Windows\assembly\tmp\U\000000c0.@ (Trojan.Agent) → No action taken.
D:\Windows\assembly\tmp\U\000000cb.@ (Trojan.Agent) → No action taken.
D:\Windows\System32\lwwlicenseservice.dll (Trojan.Siredef) → No action taken.
(end)
any other suggestions?
besides removing eset which i already did…
do not take any action with that termsrv.dll file it will cause boot failure if deleted or quarantined other items can be safely removed with Malwarebytes…
try dr.web as i had mentioned in my previous post…It should be able to find and cure the infected files…Allow it to cure all infections it finds including the termsrv file…
thanks for reply,
downloading dr.web now
i think i need to get some rest this happened to me at 11 pm last night ,when i was about to go to bed , and its 8 am right now , havent slept for 26 hours now
i dont now why would someone program such thing, whats the point in it >:(?
anyway ill notify you of results as soon as i wake up,
i doubt that i can get my windows 7 running again, i guess i have to reinstall it anyway :-,
if you still know a solution let me know
thanks for everything guys
No worries! to cure this infection i have another powerful tool in my armoury if dr.web doesnt work…
Hello and good morning.You are infected by multiple rootkits,zero access and siseref is a nasty “combo”.Wait for Essexboy and don’t listen to trueindian,unless you want your system unbootable.
Post your OTL&aswMBR logs.
Thanks,
Philip
Hi left123 dr.web will not do any harm to the system in any manner…it can easily find and cure backdoor maxplus infection.
As left123 say, with for Essexboy to arrive…he is a trained and certified malware remover and knows what he is doing
Follow this link:
http://forum.avast.com/index.php?topic=53253.0
P.S. Hope i am not rude but even i know what i am doing…
I sent the sample from the link that the OP gave…It should now be detected…update your virus definations everybody.
P.S. Hope i am not rude but even i know what i am doing...So did all your banned friends from India say.........so not strange that we are a bit suspicious. 8)
My bad that the 1 guy who got banned was from my workstation…no wonder even u doubt me too
Hi what is the current status with the 7 partition… Does it boot at all ?
ESET may have removed a file that was set as a boot device in the subsytem reg. That will need to be replaced
hi, guys
sorry for the long delay
i was too tired and had to get some rest
if you read my posts before,youll see that my windows 7 is already not working
and as i said i think it was my anti virus which automatically removed the infected files ,and made my windows not bootable , right now i am using my other windows on the infected computer (xp sp2)
as you all have said i need to clean the infected files but the problem is that they dont exist anymore,removed by anti virus ,so right now my problem is to make my win7 bootable again,any suggestions on that?
should i try repairing windows from its disk?
and i’m dowaloading dr.web and will run a full scan and tell you the results(without removing)
PS: there is still a chance that the damn maleware,viruses or whatever they are arent fully removed yet
thanks for help guys
and guys please dont fight with each other the only person to blame here is that **** , who gave me the damn link
OK Calm down,calm down…Relax!..essexboy will help u further…
Cheers. ;D
Hi essexboy,
If were lucky enough The OP hasnt taken action to this item:
C:\WINDOWS\system32\termsrv.dll (Trojan.Downloader) -> No action taken.