need some help with removing trojan win64\sirefef.y

[cool_gecko]

I tried, MSE still tries.

[essexboy]

OK there are options that you could try

Either use FRST and read the log

Let me know if there are any references to ZA or Zero Access

Or from the recovery console select to system restore prior to the malware infection

[cool_gecko]

I think the ZA first installed itself in January, according to the directory, which couldn't be deleted, but I eventually did. it was under c:\windows\installer\ called {0d5f61ab-623a-4f10-8749-5309355bb099}.

[cool_gecko]

or call it a day, and I'll have a flash drive tomorrow, so I could post the OTL logs, and continue from Reatogo.

[essexboy]

OK run OTLPE

look down the log and you will see entries similar to c:\windows\installer\{0d5f61ab-623a-4f10-8749-5309355bb099}
Also check this area

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

If the red element is consrv then put that line in its entirety there as well in this format

:OTL
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

If so in the OTLPE Custom scans and fixes box copy the folder path only as we will delete it in its entirety

like so :

:Files
 c:\windows\installer\{0d5f61ab-623a-4f10-8749-5309355bb099}

Similar to this one http://forum.avast.com/index.php?topic=99747.0

Once you have entered it into the box, press run Fix
On completion try to boot back to windows

[cool_gecko]

Microsoft Safety Scanner actually deleted some items before (a few days ago), and I was able to manually delete this folder in installer\. should I still check for this line?

[cool_gecko]

I'm going go look for that line, then call it a day. I'll be back same time tomorrow, with flash drive, and will continue from that point.

[cool_gecko]

I searched for winsrv, consrv, and that 0d5f61ab... and nothing found. I'll have a flash drive tomorrow, I'll be here same time, will post OTL, and those 2 other logs.

thanks for your help today.

[essexboy]

If you use the flash drive then FRST will be the best option... Talking to OT he has not yet updated OTLPE to the latest version

[cool_gecko]

ok. got the flash drive. more than enough space. MSE finds Trojan Win64 Win64/Sirefef.Y. and it says System32 Services.exe C:\windows\sys32\services.exe->731.

[cool_gecko]

copied FRST64.exe over. it says not a valid win32 application when I try to run it from the flash drive.

[cool_gecko]

I'm going ahead with USB option, WinToBootic.

[cool_gecko]

yeah, C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess, then it says ATTENTION!

[cool_gecko]

found this: http://www.doitscared.com/1259/recover-from-the-sirefef-y-virus-infection/

(checked comments, and used vt, the file(s) are clean)

[essexboy]

OK if you could post the FRST log I will craft a fix for you