Need help bad ... Win32/Sirefef.EZ trojan

[strawberrys18]

Win32/Sirefef.EZ trojan and other trojans in my computer Desktop.ini virus , please help

[Cudni]

What version Eset? Are you able to run sysinspector log?
http://kb.eset.com/esetkb/index?page...nt&id=SOLN2219

[Janus]

Hey strawberrys18
Have you updated Eset ? the signature for "Sirefef" are included in virus database 7189.

[Marcos]

Have you run the Sirefef removal tool ?

[FanJ]

Quote:

Originally Posted by Janus

Hey strawberrys18
Have you updated Eset ? the signature for "Sirefef" are included in virus database 7189.

Hi Janus,
You looked at the wrong place. The question was about Win32/Sirefef.EZ.
http://go.eset.com/us/threat-center/...n32/Sirefef.EZ

[Janus]

Quote:

Originally Posted by FanJ

Hi Janus,
You looked at the wrong place. The question was about Win32/Sirefef.EZ.
http://go.eset.com/us/threat-center/...n32/Sirefef.EZ

Hello FanJ
Thanks, my mistake. There's always room for (a lot of) improvements, obviously.
Have a nice day...
Regards
Janus

[strawberrys18]

I see that eset was updated to remove Win32/Sirefef.EZ trojan but it does'nt remove it in my system , And I can run the sysinspector and did , I have the log. thanks p.s. what do I do next ? thanks for the help P.S.P.S. I have smart security v 5. and I tried the Sirefef removal tool but it said my system was cleaned.

[Marcos]

Is Sirefef detected by ESET when running a scan with the most current signtature database? Could you copy & paste the appropriate threat/on-demand scanner log records here?

[Euphoria_mk]

I have the same problem.
After ruing full scan NOD32 I get:

C:\Windows\assembly\GAC_32\Desktop.ini Win32/Sirefef.EZ trojan No action
C:\Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.AD trojan No action

I select to delete and after reboot this shows up again.

Please help!

Some one was able to remove this on the Northon Anitvirus forum, but when I posted there they told me they can not help me since I don't have Northon installed. They pointed me to here...

http://community.norton.com/t5/Norto...t/false/page/2

Please help me! I've been using NOD32 for a while and now I can't fix this.

[Euphoria_mk]

I am reformatting my PC. I wonder sometimes whats the purpose of paying for this antivirus software when you don't get any support.

Sirefef.EZ Trojan has been out for almost a month, and if ESET is not aware of it, than they shouldn't be in this business...

Later... and good luck to you all

[ryanb]

I've been getting the same thing but a different version of sirefef.
I've been getting sirefef.ae and sirefef.ez.

What can i do to fix it?
I've tried following this and it is very helpfull for some but not for the version that i have.
-http://www.youtube.com/watch?v=F7KlPBv0yp8-

The file that gets noticed by ESET is in
C:\Windows\Installer\{a2ea909d-e9b9-6bad-1289-621fb2b694ab}
and sometimes i get
C:\Windows\assembly\GAC_32\Desktop.ini

The string of numbers and letters in the first one should be the same for people with the same version.

Thats all i know. If anyone can help me, i would greatly appreciate it.

[Janus]

Hello ryanb
Try this KB article from Eset library: How do I remove ZeroAccess (Sirefef) rootkit. (See also post 8 from this thread).

[Dark Shadow]

You may want to try some Anti malware scanners but your probably going to have to install them in safe mode with networking or manually remove them through registry editor but risky if you dont know what you are doing.

IMO your best bet is to replace a image and be done with it.Would have been off my system days ago but thats me and they dont got on to begin with.

[d73399]

OK Here is what I have found so far:

1.First Sirefef creates a new installation point in:

C:\Windows\Installer\{*NUMBERS*}\@

2.Then creates U subdirectory.

3. Then creates a variety of files in the format: 8000000.@

4.Runs executable to stop internet key authentication killing windows firewall resulting in error : 08x007042c

5. It starts Ieplore and then modifies settings.
6.Running Combofix will return your system to a state that is usable and restart windows firewall.

7.As yet current sirefef.EZ trojan variant is new and being analysed.

8. Installs files in C:\windows\assembly\GAC_32 and GAC_64\ desktop.ini

This is a subprogram of the trojan

Malware bytes does not detect it

Windows Defender does not detect it

Eset detected it starting 6 June 2012 but does not clean it.

9. Booting into a separate OS and deleting the files within GAC will not remove it as the main infection is elsewhere and currently unidentified.

10. Sirefef removal tool does not detect it.

11. Update: intial infection?? in: c\windows\system32\drivers\(random alphanumeric chars).sys

Description: Boot Time Removal Tool
Company: Microsoft Corporation
File Version: 1.1.16.0
Internal Name: BootTimeRemoval
Original File Name: BTR.sys
Product Name: Microsoft Malware Protection
Product Version: 1.1.0016.0

Is this a valid file?

zbldqfnl.sys___

I renamed it ___

This may be a valid byproduct of a rootkit check.

[Vasquez]

Same problem here with Win64.Sirefef.AE

ESS 5.2.9.1 (upto date definitions) seemed to detect & quarantine it, but it's been doing this every four minutes and everytime I see a new entry in the log and an object in the quarantine.

I've tried running the removal tool posted here, but it says it doesn't detect anything.

I've submitted it to ESET, but any ideas?

Regards, Vaz

[d73399]

1.First Sirefef creates a new installation point in:

C:\Windows\Installer\{*NUMBERS*}\@

2.Then creates U subdirectory.

3. Then creates a variety of files in the format: 8000000.@

4.Runs executable to stop internet key authentication killing windows firewall resulting in error : 08x007042c

5. It starts Ieplore and then modifies settings.
6.Running Combofix will return your system to a state that is usable and restart windows firewall.

7.As yet current sirefef.EZ trojan variant is new and being analysed.

UPDATE:

Installs multiple, hidden, randomchar.exe processes to recreate the desktop.ini when you delete it.


8. Installs files in C:\windows\assembly\GAC_32 and GAC_64\ desktop.ini

This is a subprogram of the trojan

Malware bytes does not detect it

Windows Defender does not detect it

Eset detected it starting 6 June 2012 but does not clean it.

9. Booting into a separate OS and deleting the files within GAC will not remove it as the main infection is elsewhere and currently unidentified.

10. Sirefef removal tool does not detect it.
----
11. aswMBR.exe scanned all sys files and found nothing
12. fixtdss.exe found nothing
13. bootkit remover found nothing
14. Using junction.exe cannot identify an installation point but that may be because I have deleted it already.

OK it shouldnt be able to move it to quarantine as it a process in use. Have you checked the c:\windows\install folder for the @ directory and U dir and deleted it?

Edit: Just looked at your screenshot. You need to delete that directory within c:\windows\installer that will stop the BFE and windows firewall etc from stopping once you run combofix
Edit2: You may not have permissions to delete it so look at the properties of the @ folder and make yourself the owner as well as having full permission, easiest way is to use hirens boot cd and then boot into xp and just delete from there. This makes it less harmful as it wont try and disable parts of your system. The issue now is just figuring out where it places its dropfile which launches the rest of it.
Edit3: Just wait until tomorrow or so, Ive given them the trojan dropfile, all they need to do is a snapshop before, run the trojan, snapshot after and examine what it does.

[Cudni]

For any further help also try one of the dedicated malware removal sites
http://www.wilderssecurity.com/showp...81&postcount=3

[d73399]

http://www.doitscared.com/1259/recov...rus-infection/

make sure you have a VALID service.exe for 64 bit or 32 bit.

[Marcos]

Since Sirefef patches the system file C:\WINDOWS\system32\services.exe, replace it with a clean copy. If it's not detected and it actually differs from its clean copy, submit it to ESET along with a SysInspector log as per the instructions here.

[ryanb]

Marcos
How do i go about getting a clean copy of services.exe? Also just today i got an eset warning saying that services.exe is a virus but said "error deleting".

edit:
I was looking around and found out that Services.exe is the normal file but services.exe (with lower case) is a virus file.

[Marcos]

Try running sfc.exe as per the instructions here.
In Windows, case doesn't matter. You cannot have more files with the same name but different case in a folder.

[ryanb]

Ok. I think i got rid of it.
1. I followed the instructions in the video in my first post up until he started messing with registries(Deleting the /Installer/{----} file that was making eset go crazy).

2. Then i ran a whole bunch of registry checkers and fixers.

3. And finally i copied the services.exe file from another win7 computer and replaced the one i had on my computer using puppy linux to boot. The same way i did for deleting the file in number 1.

4. Now im just running some more registry fixers and that system file checker thing but i havent gotten any virus notices or errors or anything so i think im good.

edit:
Actually I am getting notifications but they say "Detected Port Scanning Attack Remote IP Address: 192.168.1.101" and the log says it was checking port 139. I looked online and it's because windows homegroup doesn't play well with 3rd party firewalls so that should be fine.

[mor20]

Quote:

Originally Posted by Marcos

Have you run the Sirefef removal tool ?

Hello Dear Marcos
please help me to remove Win32/Sirefef.EV trojan

thank you

[lonely22]

My injury has this virus previously
The ESET deletion fails
The solution was with Dr.Web CureIt!
https://www.freedrweb.com/download+cureit+free/?lng=en

download
http://www.freedrweb.com/download+cureit/gr/?lng=en

scan computer