Remove Win:64/Sirefef.B

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

Re run FRST (no fix just a scan and attach log)



I want you to run TDSSKiller so refer to the below for how to do so. (DO NOT just quit after running TDSSKiller and MBRCheck, there is MUCH more to do, scroll further down and follow the Read and Run Me First Malware removal procedures link.)

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Now do not stop, please continue on with the below instructions too!
v
V
V
V
READ & RUN ME FIRST. Malware Removal Guide

 

Sorry for a delay in a response. Been extremely busy.

Please download these 4 files to your desktop.

DHCP.reg
BFE.reg
BITS.reg
MpsSvc.reg



Boot into safe mode to do the below:

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the Dhcp.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Repeat this for the three others.

Now back into normal mode... and - Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Repeat the steps for BFE.reg please in any mode, and also go to start > and type in services.msc and click ENTER. Scroll down to the Background Intelligent Transfer Service if its listed and let me know it's status and start up type please.

 

Is Windows Update functioning?

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Download Combofix to your desktop (DO NOT run it yet, and before we do following the below instructions, I would like for you to ENSURE your anti-virus/antispyware is all disabled!!)



Now let's use ComboFix.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,70,63,53,73,00,45,76,65,6e,74,53,79,73,74,65,6d,00,\
00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,65,43,72,65,61,74,65,47,6c,6f,62,61,6c,50,72,69,\
76,69,6c,65,67,65,00,53,65,49,6d,70,65,72,73,6f,6e,61,74,65,50,72,69,76,69,\
6c,65,67,65,00,53,65,54,63,62,50,72,69,76,69,6c,65,67,65,00,53,65,41,73,73,\
69,67,6e,50,72,69,6d,61,72,79,54,6f,6b,65,6e,50,72,69,76,69,6c,65,67,65,00,\
53,65,49,6e,63,72,65,61,73,65,51,75,6f,74,61,50,72,69,76,69,6c,65,67,65,00,\
00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,71,6d,67,72,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"PerfMMFileName"="Global\\MMF_BITS_s"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"PreshutdownTimeout"=dword:036ee800
"DisplayName"="@%systemroot%\\system32\\wuaueng.dll,-105"
"ImagePath"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"Description"="@%systemroot%\\system32\\wuaueng.dll,-106"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):72,70,63,73,73,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,65,41,75,64,69,74,50,72,69,76,69,6c,65,67,65,00,\
53,65,43,72,65,61,74,65,47,6c,6f,62,61,6c,50,72,69,76,69,6c,65,67,65,00,53,\
65,43,72,65,61,74,65,50,61,67,65,46,69,6c,65,50,72,69,76,69,6c,65,67,65,00,\
53,65,54,63,62,50,72,69,76,69,6c,65,67,65,00,53,65,41,73,73,69,67,6e,50,72,\
69,6d,61,72,79,54,6f,6b,65,6e,50,72,69,76,69,6c,65,67,65,00,53,65,49,6d,70,\
65,72,73,6f,6e,61,74,65,50,72,69,76,69,6c,65,67,65,00,53,65,49,6e,63,72,65,\
61,73,65,51,75,6f,74,61,50,72,69,76,69,6c,65,67,65,00,53,65,53,68,75,74,64,\
6f,77,6e,50,72,69,76,69,6c,65,67,65,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,75,61,75,65,6e,67,2e,64,6c,6c,00
"ServiceMain"="WUServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this

 

Trying to get BITS back isn't going to be simple, let's keep trying.

I want you to run TDSSKiller once more first, and attach the log.

 

I want you to run the Windows 7 - SFC /SCANNOW Command - System File Checker

Once complete, let's move onto the below to have another pop at getting BITS back.

Download the attached zip file which contains BITS.reg. Unzip BITS.reg to your desktop.

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Let me know if you get a success message or not!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Still not back in place as it should be. Hmm...

• Open up Services again.
• Right-click the Background Intelligent Transfer Service (BITS) service, and then click Properties.
• On the General tab, next to Startup type, make sure that Automatic (Delayed Start) is selected.
• Next to Service status, check to see if the service is started. If it's not, click Start.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Make sure these services are enabled, started, and set to automatic startup:

• COM+ Event System
• Remote Procedure Call (RPC)
• DCOM Server Process Launcher

Then try and start the BITS service again. Let me know what happens.

 

Excellent! Everything is as it should be. Is everything acting as it should? No problems at all?

 

Yes, I agree with you, I will provide the final steps below.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!