MSE found Trojan:Win64/Sirefef.Y.

We click to clean the computer but it gives us a shutdown message.  It counts down and then restarts.  It does not give MSE time to clean it out. What can we do?

Thanks!

 

Question Info


Last updated May 16, 2018 Views 2,569 Applies to:
Answer
I might try this before reformatting/reinstalling windows 7 partition...


http://www.techspot.com/community/topics/sirefef-removal-windows-auto-shuts-down.181372/


This is may be the option for someone without a windows installation disk...

However, im really not sure it would not just be easier to grab my important files (docs, pics, vids, etc), throw them on an external hard drive, and start fresh.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer

Agreed, definitely try that. The option would not work for me because my computer would restart too quickly to do anything when I booted Windows.  Also, reinstalling the OS may not be a surefire solution.  Don't quote me, but I read somewhere that this virus can survive an OS reinstall somehow. Worth looking into before starting fresh.

I have finally fixed it using this technique (you will need another functioning partition or computer to do this. I have a Ubuntu partition i used for downloading software and installing it to USB):


READ IN ENTIRETY BEFORE ATTEMPING AT OWN RISK

(messing with services.exe file near end is the only “risky” area)


Download Kaspersky Rescue AV and install it on a disc or USB

Restart and run a full scan after the Kaspersky Rescue disk boots

Allow Kaspersky to fix/delete any infected files found, for me it couldn't fix any so i deleted them all.

(more detailed instructions on all of the this are on their website)


Next, download the **32 BIT VERSION** of Ubuntu from their website.

(regardless of whether you have a 64 bit machine, you need to run 32 bit Ubuntu for this to work)

Make a persistent image of it on a USB so it would be bootable

(persistent means any programs or files created on it would be saved, instructions on their website)


Boot that USB drive and choose "Try Ubuntu", connect your wifi, open firefox and do a google search for "avast for linux"

I think its the first result, its not a hard site to find. When you have found the webpage click "Download"

A small box comes up, choose the DEB package

After it has downloaded, click the file to open it in the software center (it may do so automatically)

The software center might say "this is not a trusted source" or something along those lines. Choose ingore and Install anyway.

The software center will handle the installation.


After it has successfully installed, press Ctrl+Alt+T to open the terminal

Enter or copypaste this into the terminal:

sudo sysctl kernel.shmmax

That displays your current maximum SHM block size. Its value is likely 33554432. Then input this into the terminal:

sudo sysctl -w kernel.shmmax=$[33554432*2]

(that doubles the kernels allowable max size of one SHM block. Reason? older kernels have an artificial limitations which dictates the maximum size of one SHM block in bytes. And, one block of the avast database exceeded this limit. Relax them to more reasonable values. that's it).


Now open avast from the "Dash Home"

"Update" your virus database. If you get this: "cannot initialze avast! engine: invalid agrument" then repeat the steps above to increase max kernel block size to something even larger(try doubling it again). it shouldn't be a problem though because you already doubled it once.

(Keep in mind that this is one of the few settings that a persistent USB will not retain on reboot, so if you need to use the bootable USB again you will have to run the steps to increase kernel block size allowance again. Fortunately, after you open the terminal you can just hit the UpArrow to find and repeat old commands)


Now that your avast! antivirus database has updated, its time to run a scan. Run a full system scan to keep things simple and all-inclusive.

avast may find quite a few issues, I recommend you just delete them all, Sirefef and its peripheral components like to hide in files names that seem harmless.


An important thing to note: your "pagefile.sys" may come up as infected (this is a windows file). It is fine to delete this but I do not recall avast! being able to do so. I went in manually and deleted from the Ubuntu file browser (can't remember location at the moment, but avast should tell you where to find it). I also believe i had to press Ctrl+H to unhide protected system files to find it.

I realize it sounds crazy to delete a windows system file and expect windows to boot normally, but actually when windows boots up, if it can't find the pagefile.sys it simply makes a new one. The purpose of the file is to offer a place for windows to put information when the computers ram runs out. These days that doesn't commonly happen because everyone has a lot of ram and Windows 7/Vista are optimized to use pagefile as little as possible, but sometimes it can be necessary.

Evidenced Here: http://ask-leo.com/can_i_delete_pagefilesys_what_is_it.html


Update Below **I believe there is another windows file that was infected, but luckily there is a backup in "winsxs" folder somewhere. however, its not as easy as "delete, copy backup, paste in correct location" ...this file must be deleted because it is infected, then copied to the correct location, then hardlinked to the backup location. Ill get to that at a later date, hopefully tomorrow.**


For me, the other system file that was infected by the Sirefef virus is called services.exe (C:\Windows\System32\services.exe -->731). This controls services starting and stopping, explaining why my computer would shut down soon after every windows boot from a critical error. From some searching, it seems there may be repair tools and methods for restoring this file, so try that first if you can. However, my computer would restart within one minute, not enough time to run any repair tools. So here’s what I did.


BEFORE PROCEEDING, READ THE FOLLOWING A FEW TIMES TO BE SURE YOU UNDERSTAND THE INSTRUCTIONS AND ENSURE YOU HAVE LOCATED EACH FILE.


Again boot into the Ubuntu persistent USB drive, open the terminal.

Delete the infected services.exe file and hard link from the terminal: sudo find -samefile '/media/%Name of Drive%/Windows/System32/services.exe' | xargs rm

(The path of the services file is different for everyone. It is recommended to find it with the Ubuntu file browser first, right click it, and copypaste the location into the terminal. Also note that the drive is typically mounted in “/media/”. If you cannot find the drive, search google from mounting drives in Ubuntu. Be sure to put apostrophe's on each end the of the path)

(the “find -samefile” command searches for the hard link, “ | xargs rm” executes a deletion based on what is found)


This file was hard linked to another location, meaning that deleting just one instance will not fully eliminate the file. To find the other instance, search /Windows/winsxs/ for files containing “services.exe”. Ignore the files located in “Backup”. There should be another location that looks something like this:

Windows/winsxs/amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1/services.exe

This is the other hard link. Run the find, delete on this as well:

find -samefile '/media/%Name of Drive%/Windows/winsxs/amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1/services.exe' | xargs rm


This Windows file, essential to the operating system, appears to be gone. But all is not lost. After a lot of research and investigating, I made the executive decision that the “winsxs” folder in C:/Windows has backups of all Windows files. It is hard to find very clear, distinct information on winsxs, but one huge directory within is labeled “Backup” and has the file we are looking for, so I went for it.


Now that the infection seems to be gone, it is time to replace the file. Remember, not just a copypaste job.

Open the terminal and enter:

sudo cd '/media/%Name of Drive%/Windows'

cp winsxs/Backup/amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1_services.exe_abfc33da System32/services.exe

(“sudo cd” sets the directory we will be working in. “cp” is the copy command- first specify file location, then specify copy location and copy name)


Now recreate the hard link file:

cd System32

ln services.exe '/media/%Name of Drive%/Windows/winsxs/amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1/services.exe

(once again, “cd” specifies directory. “ln creates a hard link- first specify which file, then specify the location and name for the hard link)


Note that those long file/folder names like “amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1” are going to be different depending on the user/machine. I would guess that the correct file/folder for someone running a 32 bit machine would be “x86_microsoft-windows-s...” Search for services.exe to find yours.


Close the terminal, shut down your computer, remove the USB, boot into windows... and in theory everything is working great. I highly recommend running a full system scan with your antivirus software as well as Malwarebytes Anti-Malware: www.malwarebytes.org



These directions may seem long and overly specific, but I figured most people here are windows users, they may have never used linux/Ubuntu or the terminal before.

Also, I cannot guarantee this method will work for you, but it worked like a charm for me. Hope it helps others.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.