IF YOU need help for the Win32:sirefef-ZT virus or malware READ

[obwhon58]

I recently had to repair a computer that had a very bad problem.  It had gotten the Win32:sirefef-ZT virus or malware.  The system was running Malwarebytes and AVG anti virus.  It knew it had the virus but failed to stop it entering and couldn't remove it.  I installed Avast anti virus on it and it couldn't remove it either so I spent a lot of time on this forum finding out how to remove it and saw some pretty good programs posted in your help pages.  I'm sure they helped to remove it.  It took about 3 days to do so but the first thing you recommended running was Malwarebytes.  This I don't understand.  It was present when the computer got infected and let it in.  It also couldn't do anything about removing it either.  After many frustrating hours of trying to get rid of this I did what I should have done in the first place and what I always do.  I installed "Spybot Search and Destroy" .  It did one scan, one reboot scan and then I did a final scan with Avast and the Win32:sirefef-ZT  virus and the Win32"sirefef-PL virus were gone never to return.  I just don't see why people think Malwarebytes is so fantastic and fail to recognize the brilliance of Spybot S&D.  It is twice the program that Malwarebytes is.  It's not only great at removing malware and spybots but it builds a restricted site list in your browser to keep your computer from going to or linking to the sites that all this crap comes from.  I think they currently protect you from over 19000 web sites that distribute malware and spybots.  When you try this program and find it as useful as I do, please donate money to their cause.  They do it for free and it's on hell of a program.

[obwhon58]

By the way.  I've religiously used Avast for quite some time and I deal with a lot of viruses.  While I was working on this computer I opened my email and low and behold I had an email with the Win32:sirefef-PL virus and Avast caught it and kept it out.  In my profession repairing computers I sometimes take hard drives out of other systems put into my own and scan and remove the viruses with Avast.  It has always been able to remove them and never lets my computer get infected with the viruses it finds.  It beats the hell out of Norton, AVG and MacAfee.

[mikaelrask]

hey and welcome to the forum. please follow this guide and attach your logs

http://forum.avast.com/index.php?topic=53253.0.

the sirefef trojan is a nasty one and needs expert help to be able to be removed.

avast have just minimize the infection to get more server. that's why you get the popup from avast.

a malware expert will guide you from there when you have attach the necessary logs.

[mikaelrask]

update; i have sent a note to one of the malware expert here on the forum on your problem.

[obwhon58]

Read more carefully.  I don't have a problem.  The problem was I used Malwarebytes.  Once I used spybot I got it out of the system.  Computer cured.

[Pondus]

first....no security program have 100% detection

if you search the removal forums around the net...like majorgeeks / geeks to go / bleepingcomputer / and more....why do you think the first tool they try is Malwarebytes....... and they all stopped using spybot years back

spybot update once a week.....MBAM may have 10 in one day

[obwhon58]

That's the problem.  They stopped using it years ago but Spybot continued to evolve.  I've dealt with viruses for years and I've seen spybot take out malware that Malwarebytes couldn't..   Malwarebytes also doesn't build the restricted site list for your browser so you're computer can't go to the sites that host the spybots and malware.  I tried all the stuff on this forum for days and spybot got it out in one scan.  Maybe all the experts should go back and try it again.  They might learn something.

[Pondus]

I tried all the stuff on this forum for days and spybot got it out in one scan.

to verify that, you should follow the guide her and attach a OTL log and let Essexboy have a look inside

http://forum.avast.com/index.php?topic=53253.0

[true indian]

While I was working on this computer I opened my email and low and behold I had an email with the Win32:sirefef-PL virus and Avast caught it and kept it out.  I It has always been able to remove them and never lets my computer get infected with the viruses it finds.  It beats the hell out of Norton, AVG and MacAfee.

Hah! Glad you like avast! but please take a note of the statement in my below signature 

P.S. Agree,avast! is a great prevention solution.

[essexboy]

I would be intrigued to see how spybot took out sirfef, as malwarebytes can't. Nor can any AV.  The only two that I know of that will are RogueKiller and Combofix although sometimes TDSSKiller will get it

The reason that malwarebytes is the first tool to run in the help thread is that it will remove all the "normal stuff" and the OTL log will determine what remains and what would be the most appropriate tool to use next

Also with IE8 and 9 there is an integral block list which negates the requirement for a host list with 2000 entries

[obwhon58]

Well I followed your guide and used roguekiller and OTL (excellent programs).  I also ran the other programs and they cleaned out a lot of garbage but it all kept coming back.  Then I installed Spybot S&D and scanned and cleaned with it then let it run the boot scan.  It wiped out a lot of invalid cab files that I think were being used to regenerate the sirefef-ZT and sirefef-PL.  After it was done running I used Avast AV and ran another scan alone with roguekiller and OTL.  They were able to take out the sirefef-PL.  Everything I had tried to that point seemed to work until you rebooted and it was all regenerated again but the Spybot S&D seemed to stop the regeneration.  One theory on that is that it builds a restricted site list in your browsers that keeps them from accessing the hosts of most of the malware and spybots.  This might have been instrumental in stopping the regeneration of the problem.  I'm not dissing Malwarebytes.  I've used it before  but I think a lot of people overlook the value of Spybot S&D.  I've had very good results with it's removal process and I love putting it on people's computers that are horrible at updating programs.  Even if it isn't upgraded often the restricted site list helps block a lot of malware.  If you're browser can't go there, you can't get it.  I realize most people don't directly go to the site but the embedded links in the websites they go to redirect you to the sites with the malware and spybots invisibly.

[Pondus]

After it was done running I used Avast AV and ran another scan alone with roguekiller and OTL.  They were able to take out the sirefef-PL

OTL does not take out anything.....it will produse a diagnostic log.....and from that log the removal experts will create a script that will instruct OTL what to remove..... Do you know how to do that?

if not you need to attach the OTL logs here so Essexboy can make that script.....if he see anything that need to be fixed

Even if it isn't upgraded often the restricted site list helps block a lot of malware.  If you're browser can't go there, you can't get it

i use openDNS for that 

[obwhon58]

I already had the script for. OTL.   I do use OpenDNS but I was touting Spybot S&D as a tool for removal and to give to my clients that don't use OpenDNS.  I read a lot on the interent about people not being able to get rid of Sirefef.  I read a lot on your forums.  I tried your tools and still had it.  Instead of sending in my log files and waiting for a response I kept trying the tools I use. 

All I was trying to do in this post was inform you of what I found that would remove it.  I've now run a lot of scans and it is gone.   I can see now that I'm pretty much wasting my time.  You've all found your own cures.  I've learned about some new programs and I thank you for that.  In my 20 years of repairing computers I've removed thousands of viruses, malware and spybots but I'm not in your league as far as knowledge goes but I do know a few tricks.  Just thought I'd pass one on.  Like someone said, there is no cure-all for this stuff unless you line up all that hackers against a wall in front of a firing squad.  You just have to keep trying stuff and find what works.  I was fortunate enough to fix computers for a real estate agent that got about 4000 emails a day, was on every spam list in the world, wouldn't update computers, let employees turn off the virus protection and I learned how to keep most of it out of her systems and clean up the rest.

[essexboy]

It wiped out a lot of invalid cab files that I think were being used to regenerate the sirefef-ZT and sirefef-PL

These would be inactive until such time as a programme opened them, they do not open by themselves 

A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files that are copied to the user's system. A large compressed file can be spread over several .cab files.

For a number of years, Microsoft has used .cab files to compress software that was distributed on disks. Originally, these files were used to minimize the number of floppy disks shipped with a product. Today, .cab files are used to reduce the file size and the associated download time for Web content that is found on the Internet or on corporate intranet servers.

One file in the cabinet is typically an information (.inf) file, which provides further installation information. The .inf file may refer to files in the .cab as well as to files at other URLs.

Also any information that would help me remove this stuff I gladly use, but this is one case where I have never seen it do any good at all

[obwhon58]

DUH.  I'm not an idiot that needs to be explained what a cab file it but what a perfect place to hide files so a program could run and extract command.  Cab files are many times protected system files that can't be deleted.  What a perfect place to hide a virus.  There was a whole directory of corrupted cab files.  There were also several infected .klm files. 

Originally it wasn't just a sirefet-zt virus.  When I started this whole process I cleaned out 12 viruses or malware and about 36 corrupted files.  Then they regenerated and there were only 8 viruses  the second time and the same 36 corrupted files I'd deleted the time before.  That was the problem.  They kept regenerating time after time even after running roguekiller the first time.  Spybot was the one that stopped them from regenerating so I guess they  weren't viruses as much as just plain deadly malware.  But  in my book it's a virus not malware.