Hi there ,
A friend of mine has the Sirefef spyware. Removed it with many tools but it keeps coming back.
Could use some help Not sure where to start so if someone could assist me? That would be nice, thanks
Hi there ,
A friend of mine has the Sirefef spyware. Removed it with many tools but it keeps coming back.
Could use some help Not sure where to start so if someone could assist me? That would be nice, thanks
Please attach your/his logs.
http://forum.avast.com/index.php?topic=53253.0
Yeah My bad , i just read that after posting 2 quick.
Is it ok to log in the forum from the infected computer? I’ve heard about password stealers so I dont want to take any risk. What do you suggest?
I’d use my usb flash drive but i’m afraid that might get infected aswell.
Wanted to start te computer to get the logs, but I’m getting this BSOD :S
STOP: C0000135 The program can’t start because %hs is missing. Try resintalling the program
Dont have any working recovery points
Try to start in safe mode.
Same problem. Also tried booting with the Win7 CD and try repair. Same problem.
Chkdsk doest work either. I’ve had this problem before when i tried to delete it, but i could always restore it with the system recovery. For some reason they are all gone now.
Does anyone know whats being edited when you delete the virus , by lets say, MS Security essentials?
Maybe I can manually restore it with a reg-editor or some other tool.
Thanks in advance
As you already used “many tools”, it’s very hard to tell without any logs.
Maybe essexboy can help you, I’ll inform him about this thread.
I’ll do my best to retrace my steps
First I looked in these forums for a case similar to mine.
I used ASWMBR to scan and it deleted some files :
c:\windows\system32\consrv.dll
C:\Windows\assembly\GAC_64\Desktop.in
C:\Windows\assembly\GAC_32\Desktop.ini
Combofix did the same.
Then I ran MBAM, which found files in my temp folder. (dont remember sorry )
After that I wanted to reboot and saw in a flash that Windows update was installing 2 updates.
After that I saw ( very quickly ) something about registry, windows rebooted and now I got this problem with the %hs thingy.
only recovery point i got is from the windows update, but when I try to restore that, it wont work.
Managed to recover some MBAM logs, they found these :
C:\Windows\Temp\qvxqjy\setup.exe
HKLM\system\CurrentControlset\Services\AMService
Trojan vupx tp2 ( will be deleted on reboot )
C:\windows\Assembly\temp\twl.dll
pup.bitminer
hope its useful
OK first lets try to get you rebooted
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Managed to get in with editing the reg key : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control|Session Manager\Subsystems
It was saying consrv instead of winsrv.
Now finally, here are the logs
ASWMBR log
Was it hitmanpro that was the last tool used ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL SRV:64bit: - [2009-07-14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\SE26mdfl.dll -- (zpaction) NetSvcs:64bit: zpaction - C:\Windows\SysNative\SE26mdfl.dll (Oak Technology Inc.) [2012-02-18 13:13:38 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd [2012-02-07 13:45:54 | 000,000,112 | ---- | M] () -- C:\ProgramData\5V8tDVG.dat:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
THEN
Run the MSFixit on this page http://support.microsoft.com/kb/811259 (about halfway down)
Yes I ran Hitmanpro in an earlier stage.
Logs comming up
That destroyed my windows resulting in BSODs. Any other ideas ?
Can you select system restore please from the safe boot menu
Then we will try a different way
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Combofix deleted somethings…But this happened before, so not sure if I’m clean.
Going to install a fresh install of Avast Antivirus free to see what happens.
The reason Combofix does not appear to work is because it misses the protection driver, that needs to be removed manually
File:: C:\Windows\SysNative\SE26mdfl.dll C:\Windows\SysNative\dds_trash_log.cmdSave this as CFScript.txt, in the same location as ComboFix.exeNetSvc::
zpactionDriver::
zpaction
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Log as requested
OK could you run the same combofix script please for a second time…
Once that has completed could you let me know what problems remain