Sirefef.a virus please help

Hello

Just recently I found my computer running slower than usual and tabs opening by themselves while using internet explorer. Then I suddenly started getting warnings from my antivirus AVG free 2013 that two threats had been found; one of them was called Sirefef.a, and the other was called trojan-something(guess I should have made a note of its whole name). Anyway, apparently they were successfully moved to the virus vault, where I deleted them. But after that I kept getting the same warning with the same two threats every couple of minutes, even though I kept on deleting them.

I read that the most effective method of removing this virus is by manually removing it by booting up in safe mode with networking. I have tried this, but it won't boot up in safe mode; it starts to, but then a blue sceen of death flashes on the screen and the computer restarts.

Next I tried running Malwarebytes, Spybot search & destroy, TDSSKiller, and my AVG antivirus scan. Malwarebytes, which I ran first, was the only scan to find anything, and it apparently successfully removed all threats(Spybot and AVG found nothing, and TDSSKiller found a few suspicious objects, but they were just unsigned files, which I have been told to ignore).

Since running Malwarebytes, I no longer get AVG threat warnings, but my computer is still unable to boot up in safe mode, and it's still running slowly(CPU usage is high even when I'm doing nothing). My computer is 32-bit Windows XP SP3. Please tell me if there's anything I can do.

Here's the log for the Malwarebytes scan, since it was the only scan to actually find anything. Hope it helps.

 

Hello Messengerrobo,

Please reread the instructions of the Malware Removal Guide which states to attach the logs regardless if they found anything or not.

Doesn't sound like you ran MGtools.exe either. Remember to attach c:\MGlogs.zip.

 

I've run all the scans in the malware removal guide now.

Here are the logs.

 

The log you attached from TDSSKiller is from a much older version of TDSSKiller.

Please use the latest version that is linked in the TDSSKiller - How to run guide and follow the rest of the instructions in there.

 

Here is the log for the newer TDSSKiller.

 

Delete items using RogueKiller.

• Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
• When it opens, press the Scan button
• Once the scan is complete, press the Delete button.
• Attach the latest RogueKiller log (of deletion) to your next message. (How to attach)

 

After you finish with the above, continue with the below:

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 20

__

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

Fix items using OTL by OldTimer
Download OTL from the above link to your desktop.
Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\RECYCLER\S-1-5-18\$c26b4cf337013a884e3841f11d6146ff /d
C:\RECYCLER\S-1-5-21-823518204-492894223-854245398-500\$c26b4cf337013a884e3841f11d6146ff /d
C:\Documents and Settings\Administrator\Local Settings\Application Data\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 /d
C:\Documents and Settings\Administrator\Templates\d8nrjf2804qr7jcivv287xs38p6vv5w5vh64t1lc2 /d
C:\WINDOWS\Temp\{CB5AE9EC-06B1-49C4-8742-CA810EB281D4}.exe /d
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Now install the current version of Sun Java from: here

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed all of these steps.
Also let me know if you encountered any issues along the way which prevented you from completing these steps.

 

I was able to follow all of the steps smoothly. I have attached the logs for roguekiller, OTL, and MGtools.

By the way, I'm not quite sure which version of java to download... What is the difference between windows x86 online and offline?

 

No differences in the Java program itself. Only the installation process is handled differently:

• Online = small installer stub which fetches the download and installs afterwards.
• Offline = Full standalone installation file (no more downloading required).

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you for all the help . But there is one more thing I'm concerned about; when I try to configure the Windows firewall settings in Control Panel, I get a message saying "due to an unidentified problem, Windows cannot display Windows Firewall settings".

Not sure if it's related to the virus problem...

 

Yes it is related to this infection. My apologies for missing it.

Do these scans / repairs:

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

I've followed the steps, and the firewall is on now. But now it says that Windows automatic updates are off, and I can't turn them on.

Anyway, here's the log.

 

• Download both of the files below onto the desktop of the computer with the issues:
  • wuauserv.reg
  • BITS.reg
• Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
• Let me know if you received a successful message for both files.
  • If all were successful, reboot your computer and rescan with Farbar Service Scanner. Attach its latest log.
  • If they weren't successful, let me know but rescan with Farbar Service Scanner too.

 

Both files were successful. But after the reboot the toolbar at the bottom of the screen(which was normally blue) is now grey, like the older Windows...

Also, I still can't configure the Windows firewall settings in control panel; when I try, first I get a message telling me to start the SharedAccess service. After clicking yes, I get another message saying that the SharedAccess service was unable to start.

Anyway, I have attached the log.

 

More repairs needed

• Download each of the 4 files below onto the desktop of the computer with the issues:
  • netman.reg
  • cryptsvc.reg
  • SharedAccess.reg
  • wscsvc.reg
• Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
• Let me know if you received a successful message for all four files.
  • If all were successful, reboot your computer and rescan with Farbar Service Scanner. Attach its latest log.
  • If they weren't successful, let me know but rescan with Farbar Service Scanner too.

 

Actually, after a couple of reboots, the problems that I mentioned seemed to have sorted themselves out; the toolbar is back to normal and Windows firewall/updates seem to be working as well...

Should I still download those 4 registry files?

 

If everything is running well now as you say then there is no need

 

On second thought... After the most recent boot up, I seem to be having some of those problems again; can't configure firewall, SharedAccess service can't turn on, and the toolbar turned grey(although this time it turned blue again after a moment).

I think Windows updates are okay, as I'm not getting any warnings about them being off, and they appear to be on when I check the automatic updates tab in system properties.

But upon boot up I also got a "Generic Host Process for Win32 services has encountered a problem and needs to close" message. So it doesn't seem like everything is completely okay after all, I guess.

I'm trying to download those 4 registry files, but the first two(netman.reg and cryptsvc.reg) won't download; when I click the links for them I just get "The webpage cannot be found"...

 

Sorry about that, I have updated the download links in my previous post. Refresh your browser as they are all working now

 

I ran the four files, but there still seems to be problems... Upon boot up, I got the "generic host process for Win32 services has encountered a problem and needs to close" message again. Here is the stuff that was mentioned in the error:

Error signature

szAppName : svchost.exe
szAppVer : 5.1.2600.5512
szModName : ntdll.dll
szModVer : 5.1.2600.6055
offset : 00019af2

Error report

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER8176.dir00\svchost.exe.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER8176.dir00\appcompat.txt

Hope it helps. The toolbar turned grey again a few minutes after the boot up. Also, I still get an error when trying to configure the firewall; this time, the message said "cannot start Windows firewall/internet connection sharing (ICS) service".

Anyway, I ran the Farbar service scanner again. Here is the log.

 

Which toolbar are you referring to here?

Take a before and after picture using the following instructions: http://take-a-screenshot.org/

 

I mean the bar that runs along the bottom of the screen, with the start button, open windows, clock etc.



Maybe toolbar is the wrong word for it... But anyway, strangely, my problems seem to be gone again after the most recent boot up; the said bar is staying blue this time(so I couldn't get an after picture of when it goes grey), and I can configure the firewall settings now. I also didn't get the "Win32 services has encountered a problem" error.

It looks like everything is okay now, but I'm not totally convinced, as these problems seem to come and go at random... Do the logs I've posted show any signs of more problems?

 

This is the Taskbar

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Since I ran MGclean.bat in one of the earlier steps, just downloaded it again. I have attached the log.

 

Your logs are clean to me. Firewall is running, Windows Update is running. All the registry patches we added seemed to have done the trick.

You can complete the cleanup instructions again if there are no other problems.

 

Okay, the taskbar and firewall seem to be fine now.

I hate to bring up another problem after all the help you've already given, but there's one more thing I'm concerned about(not sure if it's related to any kind of virus). It seems that I get a blue sceen of death whenever I'm using google chrome; it usually happens after only a few minutes of browsing, on any website.

My only browser for years has been Windows internet explorer, but since I have heard that google chrome is better, I decided to download it about a month ago. It worked fine for a couple of weeks, but then I started to get blue screens of death every time I used it, for seemingly no reason. After that I went back to internet explorer, which worked fine.

In light of all of this virus business, I thought maybe it was the virus that had caused those blue screens. Since my computer is clean now, today I gave google chrome another try; it blue screened after a few minutes again.

I assure you that I haven't done anything dodgy in the last couple of days that would have given my computer another virus, so I don't think this is caused by a virus... Any advice on what could be causing this?

 

Do you have any files in this folder?
C:\Windows\Minidump
If so, attach them for me to review.
They will have a .dmp file extension.

 

I'm afraid the folder is empty...

Would it help if I made a note of what kind of error is mentioned in the blue screen the next time it happens?

 

It could help. I can recognize a few. Give me the code that is highlighted in the picture below next time it happens.

 

Here is the full code:

STOP : 0x0000008E (0xC0000005, 0xBF9568C8, 0xB94DAC00, 0x00000000)

I actually wrote this one down after attempting to use google chrome a few days ago and forgot about it...

 

0x8E is pretty general but some of the common causes are issues with a Pagefile, memory failure, video failure.

Does not coincide with Google Chrome though so I really do not know.

I recommend that you post in the Software forum.

Here is the site where you can download Memtest86+

 

Okay, I'll try posting there.

Thank you for all the help