Sirefef.AI & .AE & AH Constant Notifications

Discussion in 'ESET NOD32 Antivirus' started by HAL900, Jun 20, 2012.

Thread Status:
Not open for further replies.
  1. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    Windows Vista Home Premium SP2 64-bit
    EAV NOD32 AV 4.2.71.2 (cannot use 5.x because Notification messages blacked out)
    Update module: 1040 (20120313)


    Getting notification messaging regarding the trojan Sirefef with multiple different versions. Current and ongoing totals of 57 instances of Sirefef.AH, 79 instances of Sirefef.AE, 45 instances of Sirefef.AI.

    New count totals for those Sirefef versions now at 65, 87, and 51 while waiting for In-Depth scan to complete. There are also a couple separate Sirefef.AI versions and I now also see a Sirefef.W version which has 1 count of it.

    After doing an In-Depth scan this was shown in red:

    C:\Windows\Installer\{a7afd095-2f9b-9866-4f86-15b4904e357d}\U\00000001.@ - Win64/Sirefef.AI trojan - cleaned by deleting - quarantined [1]

    Wondering how to get the constant popups to stop. Seeing a new popup either within seconds of each other (just saw 3 in five seconds) or within minutes.

    Current totals: 80, 110, 70
     
    Last edited: Jun 20, 2012
  2. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    A good idea is to boot from your ESET SysRescue CD with latest signatures.
     
  3. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    My ESET SysRescue CD? Didn't realize I had such a thing.

    Since I don't believe I do have such a thing, I'm hoping someone from ESET might have some other ideas. Thanks though.

    Current totals: 117, 139, 95.

    Pretty constant notifications and pretty annoying. :(
     
  4. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    Trying to find more about this SysRescue disk I found some very interesting things in this particular thread:

    SysRescue 5 - Comments and Questions

    Fidelius seems to nail it, commenting that "Eset is the only vendor using such a complicated method in order to have a rescue CD." Looking at all those convoluted steps I would have to agree.

    Current counts: 196, 174 and 139.

    There's another version that's up to 14 but I guess it's so small I'm just omitting that one. Funny, just typing this new message and I have to increase the counts before I submit this.

    Is there anyway to recoup some of the money spent on ESET? I foolishy paid for a 2-year subscription and reading AV-tests and reviews it might be much safer to go to another AV at this point.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Check if C:\Windows\System32\services.exe is detected as Win64/Patched, replace it with a clean copy in safe mode or after booting from a clean medium.
     
  6. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    Would you be able to say that in terms someone that isn't Microsoft certified might understand?

    Otherwise is there anyone that can interpret this for me please?
     
  7. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    What I think Marcos is trying to explain is to check a file (services.exe) located in the following directory: %WINDIR%\system32

    Try to upload this file to the service VirusTotal to see if it is a "patched" (unclean) Microsoft file. And if it is, to repair it, copy this file from a clean source into your %WINDIR%\system32 directory (overwrite your patched services.exe file). I'm not sure if it will work to copy over this file booting from Safe Mode, but if it doesn't you might need a boot disk (can be a CD, USB memory/hard drive), just make sure to set up your system to boot from the source you choose. You might need to be familiar with DOS commands. If you're not this list should help depending on which boot disk solution you choose.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Exactly :) Not sure if running "sfc.exe /scannow" would fix it, you can try.
     
    Last edited: Jun 21, 2012
  9. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    Thank you for something I think I understand somewhat. I "uploaded" my services.exe file to the virustotal website via the Choose File function. The subsequent page gave a "Detection ratio" of 0/42, which I'm assuming means the file is unpatched or clean.

    Ok I'm trying to understand why my $51 dollar AV isn't doing its job. I've read elsewhere that tests show that ESET AV has a shockingly low .5 repair rate and can see why that's a big problem for customers like myself.

    All these Sirefef.XX trojans are in "Quarantine" and yet I'm getting almost non-stop notifications saying they are "cleaned by deleting -- quarantined." Well if that were the case why is it still residing on my computer and why are these red warning notifications continually popping up?!

    Current totals: 249, 271, 202 and 23

    These are only as low as they are since I turn off my computer at night.

    I'm unsure if I can even understand much less do whatever Marcos says. Thank goodness for English speaking people on this forum!
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  11. HAL900

    HAL900 Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    20
    Location:
    USA
    Thanks FanJ, I will try to do that.

    I've been doing a lot of reading and these trojans are buggers, likely got my trojan(s) from a video game website. I'm currently doing a deep scan with Malwarebytes and waiting to see what that finds.

    I had installed SpyHunter briefly and it found some things but requires a purchase to fix or clean the objects. In the end I read some less than stellar reviews of it and decided to uninstall the software. Oddly, it almost seemed that the constant ESET red warning notifications stopped while SpyHunter was on my system. I may re-install it again and see if the ESET warnings stop.

    Current totals: 298, 320, 241, 4 and 28. :(
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please contact ESET's Customer Care or email Malware research lab as per the instructions here in case of persistent issues with malware removal.
     
Thread Status:
Not open for further replies.