Author Topic: Infected with Win32:Sirefef-HO [Rtk]  (Read 24273 times)

0 Members and 1 Guest are viewing this topic.

kinji

  • Guest
Infected with Win32:Sirefef-HO [Rtk]
« on: March 06, 2012, 02:02:23 AM »
please help
« Last Edit: March 16, 2012, 05:08:20 AM by kinji »

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #1 on: March 06, 2012, 02:03:08 AM »
log 2
« Last Edit: March 16, 2012, 05:08:32 AM by kinji »

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #2 on: March 06, 2012, 02:19:30 AM »
aswMBR
« Last Edit: March 16, 2012, 05:08:45 AM by kinji »

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #3 on: March 06, 2012, 04:24:03 AM »
combofix
« Last Edit: March 16, 2012, 05:08:56 AM by kinji »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #4 on: March 06, 2012, 08:13:20 AM »
certified malware remover is notified..


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #5 on: March 06, 2012, 08:38:33 PM »
OK lets get at it

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
C:\Windows\SysNative\epfwtdi.dll

NetSvc::
bhmonitorservice

Driver::
bhmonitorservice
Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O22 - SharedTaskScheduler: {CBE68977-972C-4977-8E29-0A5662FBE2A5} - SvjunoniDpn - No CLSID value found.

    :Files
    ipconfig /flushdns /c

    :Commands
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #6 on: March 06, 2012, 10:39:10 PM »
after 30 mins the combine fix got a syntax error..
now every program has an illegal operation registry key that has been marked for deletion.
I am now on my kindle awaiting your instructions

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #7 on: March 06, 2012, 10:41:57 PM »
Reboot to clear the illegal operation error

I should add that to the CF script run

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #8 on: March 06, 2012, 11:06:18 PM »
The combofix did not supply a log this time. - it did leave to desktop.ini files.
here is the new OTL
thanks for all your help essex
« Last Edit: March 16, 2012, 05:09:11 AM by kinji »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #9 on: March 06, 2012, 11:10:30 PM »
It killed the protection driver though.  It appears that OTL did not reset your host file or the shared task

Could you run the same OTL fix again please and post the log that pops up on reboot 

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #10 on: March 06, 2012, 11:26:59 PM »
thanks essex
« Last Edit: March 16, 2012, 05:09:25 AM by kinji »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #11 on: March 06, 2012, 11:37:14 PM »
Silly question - are you pressing the run fix button ?

Could you run the MSFixit on this page please http://support.microsoft.com/kb/972034

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #12 on: March 06, 2012, 11:46:20 PM »
Not a silly question!!
I screwed up the first time and was running just fill scan.
The second time, I did run the Run Fix and posted the OTL.
----------------------
I have now installed the microsoft fix
run otl quick scan again?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #13 on: March 06, 2012, 11:48:19 PM »
If you don't mind - just to confirm that the Host file was reset  and there is nothing hidden playing silly buggers  ;D

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #14 on: March 06, 2012, 11:56:25 PM »
NP!
thanks for all your help!!!
« Last Edit: March 16, 2012, 05:09:38 AM by kinji »