I waited about 30 minutes, I will go out in about an hour and wont be home for 3 more hours after that, I can start it then and see if its running when im home. Also what do I do if the program runs? My friend told me he had tried it before and it says like stage 1 complete and such, how many stages are there?
Solved Sirefef won't go away - please help!
- Thread starter cschrille
- Start date
Status: Disinfected (events: 4)
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack//RLPack High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip High
Status: Deleted (events: 1)
2012-06-06 19:34:24 Deleted malware DoS.Perl.BBDoS.c C:\Perl64\bin\udp3.pl Medium
Status: Absent (events: 1)
2012-06-06 20:34:20 Not found Trojan program Trojan-Ransom.Win32.Birele.omn X:\Nedladdat\City Drive Demo.rar//City drive demo Setup.exe//IC.exe High
Status: Detected (events: 1)
2012-06-06 20:52:16 Detected virus IRC-Worm.Win32.Jane.f X:\Program\physics game.rar//game//ProcMan.exe High
This is what the scan found, the Trojan-Ransom.Win32.Birele.omn was deleted, thats why it says "Not found".
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack//RLPack High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe High
2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip High
Status: Deleted (events: 1)
2012-06-06 19:34:24 Deleted malware DoS.Perl.BBDoS.c C:\Perl64\bin\udp3.pl Medium
Status: Absent (events: 1)
2012-06-06 20:34:20 Not found Trojan program Trojan-Ransom.Win32.Birele.omn X:\Nedladdat\City Drive Demo.rar//City drive demo Setup.exe//IC.exe High
Status: Detected (events: 1)
2012-06-06 20:52:16 Detected virus IRC-Worm.Win32.Jane.f X:\Program\physics game.rar//game//ProcMan.exe High
This is what the scan found, the Trojan-Ransom.Win32.Birele.omn was deleted, thats why it says "Not found".
Broni
Posts: 56,041 +516
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\assembly\GAC_64\Desktop.ini
- C:\Windows\assembly\GAC_32\Desktop.ini
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\assembly\GAC_64\Desktop.ini
- C:\Windows\assembly\GAC_32\Desktop.ini
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
I cant find any fodlers inside the assembly folder. I managed to open the other folder in which nod32 find Sirefef and such. It was called 80000032.@ but it does not seem to attack anymore since its only been blocked once. It was inside installer folder in windows, there are a bunch of other files there that have been blocked over 1000 times but I cant see them at all.
Scan from the file I could find.
AntivirusResultUpdate
AhnLab-V3 -
AntiVir TR/ATRAPS.Gen2
Antiy-AVL - 20120607
Avast Win32: DNSChanger-VJ [Trj]
AVG Generic_r.AWX
BitDefender -
ByteHero -
CAT-QuickHeal -
ClamAV -
Commtouch -
Comodo UnclassifiedMalware
DrWeb BackDoor.Maxplus.5209
Emsisoft Trojan.Win32.Alureon!IK
eSafe -
F-Prot -
F-Secure -
Fortinet -
GData Win32: DNSChanger-VJ
Ikarus Trojan.Win32.Alureon
Jiangmin -
K7AntiVirus Riskware
Kaspersky -
McAfee Artemis!F2A0C085F4A2
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Spyware.J
Microsoft Trojan:Win32/Sirefef.AK
NOD32 probably a variant of Win32/Sirefef.EU
Norman -
nProtect -
Panda Trj/CI.A
PCTools -
Rising -
Sophos Sus/Behav-1010
SUPERAntiSpyware -
Symantec Suspicious.Cloud.5
TheHacker -
TotalDefense -
TrendMicro -
TrendMicro-HouseCall TROJ_GEN.R47H1F5
VBA32 -
VIPRE Trojan.Win32.Generic!BT
ViRobot -
VirusBuster -
AntivirusResultUpdate
AhnLab-V3 -
AntiVir TR/ATRAPS.Gen2
Antiy-AVL - 20120607
Avast Win32: DNSChanger-VJ [Trj]
AVG Generic_r.AWX
BitDefender -
ByteHero -
CAT-QuickHeal -
ClamAV -
Commtouch -
Comodo UnclassifiedMalware
DrWeb BackDoor.Maxplus.5209
Emsisoft Trojan.Win32.Alureon!IK
eSafe -
F-Prot -
F-Secure -
Fortinet -
GData Win32: DNSChanger-VJ
Ikarus Trojan.Win32.Alureon
Jiangmin -
K7AntiVirus Riskware
Kaspersky -
McAfee Artemis!F2A0C085F4A2
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Spyware.J
Microsoft Trojan:Win32/Sirefef.AK
NOD32 probably a variant of Win32/Sirefef.EU
Norman -
nProtect -
Panda Trj/CI.A
PCTools -
Rising -
Sophos Sus/Behav-1010
SUPERAntiSpyware -
Symantec Suspicious.Cloud.5
TheHacker -
TotalDefense -
TrendMicro -
TrendMicro-HouseCall TROJ_GEN.R47H1F5
VBA32 -
VIPRE Trojan.Win32.Generic!BT
ViRobot -
VirusBuster -
Scan results from 00000008.@
AhnLab-V3 -
AntiVir SPR/BitCoinMiner.A
Antiy-AVL -
Avast Win32:BitCoinMiner-U [PUP]
AVG PSW.KeyLogger.AXD
BitDefender Trojan.Sirefef.GA
ByteHero -
CAT-QuickHeal -
ClamAV PUA.Win32.Packer.Upx-44
Commtouch -
Comodo -
DrWeb Tool.BtcMine.26
Emsisoft Win32.Trojan!IK
eSafe -
F-Prot -
F-Secure Trojan.Sirefef.GA
Fortinet W32/Agent.WHI!tr
GData Trojan.Sirefef.GA
Ikarus Win32.Trojan
Jiangmin -
K7AntiVirus Riskware
Kaspersky -
McAfee Generic.dx!b2qj
McAfee-GW-Edition -
Microsoft -
NOD32 Win64/Agent.BA
Norman W32/Suspicious_Gen4.AGIPS
nProtect Trojan.Sirefef.GA
Panda -
PCTools -
Rising -
Sophos Troj/Agent-WHI
SUPERAntiSpyware -
Symantec -
TheHacker -
TotalDefense -
TrendMicro -
TrendMicro-HouseCall -
VBA32 -
VIPRE -
ViRobot -
VirusBuster -
AhnLab-V3 -
AntiVir SPR/BitCoinMiner.A
Antiy-AVL -
Avast Win32:BitCoinMiner-U [PUP]
AVG PSW.KeyLogger.AXD
BitDefender Trojan.Sirefef.GA
ByteHero -
CAT-QuickHeal -
ClamAV PUA.Win32.Packer.Upx-44
Commtouch -
Comodo -
DrWeb Tool.BtcMine.26
Emsisoft Win32.Trojan!IK
eSafe -
F-Prot -
F-Secure Trojan.Sirefef.GA
Fortinet W32/Agent.WHI!tr
GData Trojan.Sirefef.GA
Ikarus Win32.Trojan
Jiangmin -
K7AntiVirus Riskware
Kaspersky -
McAfee Generic.dx!b2qj
McAfee-GW-Edition -
Microsoft -
NOD32 Win64/Agent.BA
Norman W32/Suspicious_Gen4.AGIPS
nProtect Trojan.Sirefef.GA
Panda -
PCTools -
Rising -
Sophos Troj/Agent-WHI
SUPERAntiSpyware -
Symantec -
TheHacker -
TotalDefense -
TrendMicro -
TrendMicro-HouseCall -
VBA32 -
VIPRE -
ViRobot -
VirusBuster -
Broni
Posts: 56,041 +516
Download Kaspersky Rescue Disk 10
Burn downloaded .iso file to CD. How to: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm
Boot from Kaspersky Rescue Disk 10. How to boot from CD: http://www.hiren.info/pages/bios-boot-cdrom
A loading wizard will start (you will see the menu to select the required language). See screenshots here: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286086
If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu.
In Objects Scan tab checkmark:
Go back to other tab and click Start Object Scan.
NOTE. Be patient. It will take a while.
When scan has completed save a report:
Post the content of the file for my review.
Burn downloaded .iso file to CD. How to: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm
Boot from Kaspersky Rescue Disk 10. How to boot from CD: http://www.hiren.info/pages/bios-boot-cdrom
A loading wizard will start (you will see the menu to select the required language). See screenshots here: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286086
If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu.
In Objects Scan tab checkmark:
- Disk boot sectors
- Hidden startup objects
- C:
Go back to other tab and click Start Object Scan.
NOTE. Be patient. It will take a while.
When scan has completed save a report:
- On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
- On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
- On the upper right hand corner of the Detailed report window, click on the Save button.
- After clicking Detailed Report and 'SAVE', a browse window opens.
- Double-click on the \
- Click 'Disks'.
- All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
- Click on the Save button.
- The report has been saved to the file.
Post the content of the file for my review.
The scan got bugged and kept scanning the same folder over and over. For some reason it only found one virus.
Objects Scan: stopped 2 minutes ago (events: 4, objects: 1664257, time: 03:41:17)
6/7/12 10:20 PM Task stopped
6/7/12 7:26 PM Untreated: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini Postponed
6/7/12 7:26 PM Detected: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini
6/7/12 6:39 PM Task started
Thats what it found, also I checked my harddrive with the Rescue Disk and I found the GAC folders in assembly. But it said that the desktop.ini was "DOS/Windows executable", last I checked ini files weren't exe files, were they?
Objects Scan: stopped 2 minutes ago (events: 4, objects: 1664257, time: 03:41:17)
6/7/12 10:20 PM Task stopped
6/7/12 7:26 PM Untreated: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini Postponed
6/7/12 7:26 PM Detected: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini
6/7/12 6:39 PM Task started
Thats what it found, also I checked my harddrive with the Rescue Disk and I found the GAC folders in assembly. But it said that the desktop.ini was "DOS/Windows executable", last I checked ini files weren't exe files, were they?
Broni
Posts: 56,041 +516
.ini file is surely executable.
Not only .exe files are executable.
There are plenty of others: http://pcsupport.about.com/od/tipstricks/a/execfileext.htm
Did Kaspersky disk remove offending file?
Is NOD still detecting anything?
Do NOT remove GAC folders.
Not only .exe files are executable.
There are plenty of others: http://pcsupport.about.com/od/tipstricks/a/execfileext.htm
Did Kaspersky disk remove offending file?
Is NOD still detecting anything?
Do NOT remove GAC folders.
Latest posts
-
Hasbro is investing $1 billion to make video games in house- dirtyferret replied
-
Weird wifi situation- learninmypc replied
