Need help bad ... Win32/Sirefef.EZ trojan

Discussion in 'ESET Smart Security' started by strawberrys18, Jun 2, 2012.

Thread Status:
Not open for further replies.
  1. strawberrys18
    Offline

    strawberrys18 Registered Member

    Win32/Sirefef.EZ trojan and other trojans in my computer Desktop.ini virus , please help o_O
  2. Cudni
    Offline

    Cudni Global Moderator

  3. Janus
    Offline

    Janus Registered Member

    Hey strawberrys18
    Have you updated Eset ? the signature for "Sirefef" are included in virus database 7189.

    Attached Files:

    • nu.png
      nu.png
      File size:
      64.5 KB
      Views:
      58
  4. Marcos
    Offline

    Marcos Eset Staff Account

  5. FanJ
    Offline

    FanJ Updates Team

  6. Janus
    Offline

    Janus Registered Member

  7. strawberrys18
    Offline

    strawberrys18 Registered Member

    I see that eset was updated to remove Win32/Sirefef.EZ trojan but it does'nt remove it in my system , And I can run the sysinspector and did , I have the log. thanks p.s. what do I do next ? thanks for the help P.S.P.S. I have smart security v 5. and I tried the Sirefef removal tool but it said my system was cleaned.
    Last edited: Jun 3, 2012
  8. Marcos
    Offline

    Marcos Eset Staff Account

    Is Sirefef detected by ESET when running a scan with the most current signtature database? Could you copy & paste the appropriate threat/on-demand scanner log records here?
  9. Euphoria_mk
    Offline

    Euphoria_mk Registered Member

    I have the same problem.
    After ruing full scan NOD32 I get:

    C:\Windows\assembly\GAC_32\Desktop.ini Win32/Sirefef.EZ trojan No action
    C:\Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.AD trojan No action

    I select to delete and after reboot this shows up again.

    Please help!

    Some one was able to remove this on the Northon Anitvirus forum, but when I posted there they told me they can not help me since I don't have Northon installed. They pointed me to here...

    http://community.norton.com/t5/Nort...t-Messages/td-p/728702/highlight/false/page/2

    Please help me! I've been using NOD32 for a while and now I can't fix this.
  10. Euphoria_mk
    Offline

    Euphoria_mk Registered Member

    I am reformatting my PC. I wonder sometimes whats the purpose of paying for this antivirus software when you don't get any support.

    Sirefef.EZ Trojan has been out for almost a month, and if ESET is not aware of it, than they shouldn't be in this business...

    Later... and good luck to you all
  11. ryanb
    Offline

    ryanb Registered Member

    I've been getting the same thing but a different version of sirefef.
    I've been getting sirefef.ae and sirefef.ez.

    What can i do to fix it?
    I've tried following this and it is very helpfull for some but not for the version that i have.
    http://www.youtube.com/watch?v=F7KlPBv0yp8

    The file that gets noticed by ESET is in
    C:\Windows\Installer\{a2ea909d-e9b9-6bad-1289-621fb2b694ab}
    and sometimes i get
    C:\Windows\assembly\GAC_32\Desktop.ini

    The string of numbers and letters in the first one should be the same for people with the same version.

    Thats all i know. If anyone can help me, i would greatly appreciate it.
  12. Janus
    Offline

    Janus Registered Member

  13. Dark Shadow
    Offline

    Dark Shadow Registered Member

    You may want to try some Anti malware scanners but your probably going to have to install them in safe mode with networking or manually remove them through registry editor but risky if you dont know what you are doing.

    IMO your best bet is to replace a image and be done with it.Would have been off my system days ago but thats me and they dont got on to begin with.:D
  14. d73399
    Offline

    d73399 Registered Member

    OK Here is what I have found so far:

    1.First Sirefef creates a new installation point in:

    C:\Windows\Installer\{*NUMBERS*}\@

    2.Then creates U subdirectory.

    3. Then creates a variety of files in the format: 8000000.@

    4.Runs executable to stop internet key authentication killing windows firewall resulting in error : 08x007042c

    5. It starts Ieplore and then modifies settings.
    6.Running Combofix will return your system to a state that is usable and restart windows firewall.

    7.As yet current sirefef.EZ trojan variant is new and being analysed.

    8. Installs files in C:\windows\assembly\GAC_32 and GAC_64\ desktop.ini

    This is a subprogram of the trojan

    Malware bytes does not detect it

    Windows Defender does not detect it

    Eset detected it starting 6 June 2012 but does not clean it.

    9. Booting into a separate OS and deleting the files within GAC will not remove it as the main infection is elsewhere and currently unidentified.

    10. Sirefef removal tool does not detect it.

    11. Update: intial infection?? in: c\windows\system32\drivers\(random alphanumeric chars).sys

    Description: Boot Time Removal Tool
    Company: Microsoft Corporation
    File Version: 1.1.16.0
    Internal Name: BootTimeRemoval
    Original File Name: BTR.sys
    Product Name: Microsoft Malware Protection
    Product Version: 1.1.0016.0

    Is this a valid file?

    zbldqfnl.sys___

    I renamed it ___

    This may be a valid byproduct of a rootkit check.
    Last edited: Jun 7, 2012
  15. Vasquez
    Offline

    Vasquez Registered Member

    Same problem here with Win64.Sirefef.AE

    ESS 5.2.9.1 (upto date definitions) seemed to detect & quarantine it, but it's been doing this every four minutes and everytime I see a new entry in the log and an object in the quarantine.

    I've tried running the removal tool posted here, but it says it doesn't detect anything.

    I've submitted it to ESET, but any ideas?

    Regards, Vaz

    Attached Files:

  16. d73399
    Offline

    d73399 Registered Member

    1.First Sirefef creates a new installation point in:

    C:\Windows\Installer\{*NUMBERS*}\@

    2.Then creates U subdirectory.

    3. Then creates a variety of files in the format: 8000000.@

    4.Runs executable to stop internet key authentication killing windows firewall resulting in error : 08x007042c

    5. It starts Ieplore and then modifies settings.
    6.Running Combofix will return your system to a state that is usable and restart windows firewall.

    7.As yet current sirefef.EZ trojan variant is new and being analysed.

    UPDATE:

    Installs multiple, hidden, randomchar.exe processes to recreate the desktop.ini when you delete it.


    8. Installs files in C:\windows\assembly\GAC_32 and GAC_64\ desktop.ini

    This is a subprogram of the trojan

    Malware bytes does not detect it

    Windows Defender does not detect it

    Eset detected it starting 6 June 2012 but does not clean it.

    9. Booting into a separate OS and deleting the files within GAC will not remove it as the main infection is elsewhere and currently unidentified.

    10. Sirefef removal tool does not detect it.
    ----
    11. aswMBR.exe scanned all sys files and found nothing
    12. fixtdss.exe found nothing
    13. bootkit remover found nothing
    14. Using junction.exe cannot identify an installation point but that may be because I have deleted it already.

    OK it shouldnt be able to move it to quarantine as it a process in use. Have you checked the c:\windows\install folder for the @ directory and U dir and deleted it?

    Edit: Just looked at your screenshot. You need to delete that directory within c:\windows\installer that will stop the BFE and windows firewall etc from stopping once you run combofix
    Edit2: You may not have permissions to delete it so look at the properties of the @ folder and make yourself the owner as well as having full permission, easiest way is to use hirens boot cd and then boot into xp and just delete from there. This makes it less harmful as it wont try and disable parts of your system. The issue now is just figuring out where it places its dropfile which launches the rest of it.
    Edit3: Just wait until tomorrow or so, Ive given them the trojan dropfile, all they need to do is a snapshop before, run the trojan, snapshot after and examine what it does.
    Last edited: Jun 8, 2012
  17. Cudni
    Offline

    Cudni Global Moderator

  18. d73399
    Offline

    d73399 Registered Member

  19. Marcos
    Offline

    Marcos Eset Staff Account

    Since Sirefef patches the system file C:\WINDOWS\system32\services.exe, replace it with a clean copy. If it's not detected and it actually differs from its clean copy, submit it to ESET along with a SysInspector log as per the instructions here.
  20. ryanb
    Offline

    ryanb Registered Member

    Marcos
    How do i go about getting a clean copy of services.exe? Also just today i got an eset warning saying that services.exe is a virus but said "error deleting".

    edit:
    I was looking around and found out that Services.exe is the normal file but services.exe (with lower case) is a virus file.
    Last edited: Jun 11, 2012
  21. Marcos
    Offline

    Marcos Eset Staff Account

    Try running sfc.exe as per the instructions here.
    In Windows, case doesn't matter. You cannot have more files with the same name but different case in a folder.
  22. ryanb
    Offline

    ryanb Registered Member

    Ok. I think i got rid of it.
    1. I followed the instructions in the video in my first post up until he started messing with registries(Deleting the /Installer/{----} file that was making eset go crazy).

    2. Then i ran a whole bunch of registry checkers and fixers.

    3. And finally i copied the services.exe file from another win7 computer and replaced the one i had on my computer using puppy linux to boot. The same way i did for deleting the file in number 1.

    4. Now im just running some more registry fixers and that system file checker thing but i havent gotten any virus notices or errors or anything so i think im good.

    edit:
    Actually I am getting notifications but they say "Detected Port Scanning Attack Remote IP Address: 192.168.1.101" and the log says it was checking port 139. I looked online and it's because windows homegroup doesn't play well with 3rd party firewalls so that should be fine.
    Last edited: Jun 12, 2012
  23. mor20
    Offline

    mor20 Registered Member

    Hello Dear Marcos
    please help me to remove Win32/Sirefef.EV trojan

    thank you
  24. lonely22
    Offline

    lonely22 Registered Member

Thread Status:
Not open for further replies.