need some help with removing trojan win64\sirefef.y

[cool_gecko]

hi, been lurking here for a while, so I know you guys are good at removing tough malware. have a computer that's been infected with ZeroAccess. I will be at the client's location in about 12 hours, I could post logs then. MBAM originally found ZeroAccess, and removed it, but it's back after reboot. Microsoft Safety Scanner removed 2 additional trojans, and partly removed sirefef.y, then a message appears saying some critical error, and will reboot in a minute, please save your work. Currently, the computer has MSE installed (which is better than the previous av). I've been told by client that MSE finds it at bootup, and then goes into a boot loop.

TIA

[Pondus]

follow the guide here and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0


when done a malware removal specialist will be notified......and help you when he arrive....may take several hours

[essexboy]

Monitoring

[cool_gecko]

at windows 7 bootup, everything is fine, then MSE (only temp AV) finds it, and says cleaning. then it pops up saying system has a critical error and has to reboot in 1 min, so I can't disable MSE, or do anything, including running those tools.

[Asyn]

at windows 7 bootup, everything is fine, then MSE (only temp AV) finds it, and says cleaning. then it pops up saying system has a critical error and has to reboot in 1 min, so I can't disable MSE, or do anything, including running those tools.

Does safe mode work..??

[cool_gecko]

tried. same thing.

[Asyn]

tried. same thing.

Better wait for Essexboy then.

[essexboy]

OK can you burn a cd or if you have windows 7 then a USB will do.  I will give instructions for both

CD- XP/Vista

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
  
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.

• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[/list]


USB

Download the following three programmes to your desktop :

1.  WiNToBootic
2.  Windows 7 64bit RC
     Windows 7 32bit RC
3.  64 bitFarbar Recovery Scan Tool x64
     32 bitFarbar Recovery Scan Tool

Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot



Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing



It will let you know when it is done
Then copy FRST to the same USB




Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this although yours will say windows 7. Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

[cool_gecko]

I'm following the CD instructions, since I don't have a flash drive with me. Currently downloading OTLPENet on working pc. it says to download FRST to flash drive. should I download that to CD too? also, this is Win7 x64, so I should download the x64 FRST from the 2nd instructions?

[essexboy]

If this is win 7 64 bit, it may be worthwhile downloading the boot disc as that will always come in handy.. I have a copy of that and the 32 bit one

You can put FRST64 on the CD but after OTLPE has been installed - drop it on the root sector 

[cool_gecko]

done with the install on the CD (OTLPE), but there's not enough room on the CD for FRST64. It's a CD-RW disc.

[essexboy]

OK as it stands then Run OTLPE and I will work from that initially

OTLPE should enable you access to the internet

• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :)
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[cool_gecko]

ok, after "yes" for remote registry it asks for select user profile with choices like LocalService, 1 username, etc. and this dialog box has automatically load all remaining users checked. should I select LocalService (top, already selected choice), or username?

[essexboy]

Go with local service initially please

[cool_gecko]

OTL file created, but that pc has no network connection in Reatogo.