Darxicus 0 Posted May 12, 2014 Share Posted May 12, 2014 Hi Earlier today ESET NOD32 came up with a message indicating that the Win32/Sirefef trojan was found in the operating memory. I have tried several things found on the internet, but none worked. I also ran the Windows Malicious Software Removal Tool, and it actually detected malware, but upon a restart ESET gave the same error. What really baffles me is that ESET gives no option to clean or even quarantine or send for analysis on the trojan; all option i have is "No action". Could someone please try to assist me in attempting to remove the trojan? System Specs: Windows 7 Home Premium 32-bit Service Pack 1 Pentium Dual-Core E6700 3.20 GHz RAM: 4.00 GB (2.71 usable) OS installed on 371 GB partition of 500 GB drive, 1 TB external drive connected ESET NOD32 Antivirus version 7.0.302.26 Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,074 Posted May 12, 2014 Administrators Solution Share Posted May 12, 2014 Try running the Sirefef cleaner with the "/f" switch which should remove Sirefef remnants that might be detected. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 12, 2014 Share Posted May 12, 2014 Yah sirefef is pretty ugly, hence the standalone cleaner marcos has linked. It requires multiple reboots to clean. Link to comment Share on other sites More sharing options...
TBPlayer 0 Posted May 13, 2014 Share Posted May 13, 2014 Hello, I've run into the same thing as the op - NOD32 puts up a warning that Win32/Sirefef Trojan was found in the operating memory. I've run the Sirefef cleaner that Marcos linked above twice (2 reboots for each time), but I'm still getting the warning. I had this virus before (about a year ago or so), and successfully removed it with a tool I downloaded from ESET. But I can't seem to get rid of it this time. My PC doesn't exhibit any of the symptoms for this virus, just the warning from NOD32. I wonder if this might be a false positive? Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 13, 2014 Share Posted May 13, 2014 Please follow these instructions explicitly. hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2895 If the tool says you are infected, you are infected. It's not a FP. Link to comment Share on other sites More sharing options...
curtp 1 Posted May 13, 2014 Share Posted May 13, 2014 I have the exact problem that Darxicus reported. When I download and run the executable from the link posted by Arakasi, I get the following result: Scanning for system infection... --------------------------------------- Threat Not Found You don't have Win32/Sirefef in your system. [Press Any Key] Link to comment Share on other sites More sharing options...
curtp 1 Posted May 13, 2014 Share Posted May 13, 2014 I have also run the executable with the /f switch as Marcos suggested. The program ran and the computer rebooted. I was prompted to run the program again, I did so and the computer rebooted again and started up normally. However, the threat alert remains and ESET reports the trojan is present when I scan operating memory. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 13, 2014 Share Posted May 13, 2014 I can only suggest possibly phoning in to support and letting them take samples if its a new variant. They may help you with the cleaning process as well after license verification. Marcos may have more to add so stick around just in-case. Link to comment Share on other sites More sharing options...
curtp 1 Posted May 13, 2014 Share Posted May 13, 2014 Thank you, Arakasi, for the reply. I had the software do a Customer Care support submission with registry and all of the other information it gathers. I hope to hear from someome tomorrow. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 13, 2014 Share Posted May 13, 2014 If you don't hear from someone by end of day, i would phone in the following day. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 13, 2014 Administrators Share Posted May 13, 2014 We're planning to release an updated version of the Sirefef cleaner within a couple of hours which will remove Sirefef remnants from the disk even if Sirefef is no longer active in the system. Link to comment Share on other sites More sharing options...
Darxicus 0 Posted May 13, 2014 Author Share Posted May 13, 2014 How many reboots does it take to clean it fully? It's already done it like seven or eight times to no avail. Link to comment Share on other sites More sharing options...
curtp 1 Posted May 13, 2014 Share Posted May 13, 2014 Darxicus, I couldn't get the removal tool to work for me, either. I called ESET San Diego and it was necessary for them to take remote control of my machine and manually clean the trojan. The process was painless and quick and the reps were professional and friendly. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 13, 2014 Share Posted May 13, 2014 Awesome ! Thanks for updating. Link to comment Share on other sites More sharing options...
safety 8 Posted May 14, 2014 Share Posted May 14, 2014 utility Falls v 1.1.0.19 [2014.05.14 22:34:00.671] - [2014.05.14 22:34:00.703] - [2014.05.14 22:34:00.703] - INFO: Removing remnants of Win32/Sirefef threat... [2014.05.14 22:34:01.375] - [2014.05.14 22:34:01.375] - INFO: Win32/Sirefef was successfully removed from your system. [2014.05.14 22:34:01.375] - -------------------------------------------------------------------------------- [2014.05.14 22:34:01.375] - INFO: Logging finished successfully... [2014.05.14 22:34:01.375] - -------------------------------------------------------------------------------- after a new scan [2014.05.14 22:35:35.062] - [2014.05.14 22:35:35.078] - [2014.05.14 22:35:35.078] - INFO: Removing remnants of Win32/Sirefef threat... [2014.05.14 22:35:35.109] - [2014.05.14 22:35:35.109] - INFO: Win32/Sirefef was successfully removed from your system. [2014.05.14 22:35:35.109] - -------------------------------------------------------------------------------- [2014.05.14 22:35:35.109] - INFO: Logging finished successfully... [2014.05.14 22:35:35.109] - -------------------------------------------------------------------------------- Scan Log Version of virus signature database: 9799P (20140514) Date: 14.05.2014 Time: 22:27:06 Scanned disks, folders and files: Operating memory Number of scanned objects: 389 Number of threats found: 0 Time of completion: 22:27:40 Total scanning time: 34 sec (00:00:34) Link to comment Share on other sites More sharing options...
Darxicus 0 Posted May 14, 2014 Author Share Posted May 14, 2014 Darxicus, I couldn't get the removal tool to work for me, either. I called ESET San Diego and it was necessary for them to take remote control of my machine and manually clean the trojan. The process was painless and quick and the reps were professional and friendly. I may try that Link to comment Share on other sites More sharing options...
safety 8 Posted May 15, 2014 Share Posted May 15, 2014 in this topic hxxp://forum.esetnod32.ru/forum6/topic10845/ Malwarebytes Anti-Rootkit BETA 1.07.0.1009 www.malwarebytes.org Database version: v2014.05.14.02 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 11.0.9600.17107 Computer :: GIN [administrator] 14.05.2014 12:54:18 mbar-log-2014-05-14 (12-54-18).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged. Objects scanned: 286246 Time elapsed: 29 minute(s), 53 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 4 c:\windows\$ntuninstallkb3296$\1644588774 (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\l (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\194118127 (Backdoor.0Access) -> Delete on reboot. Files Detected: 13 c:\windows\$ntuninstallkb3296$\1644588774\l\xadqgnnk (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\00000001.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\00000002.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\00000004.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\80000000.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\80000004.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\u\80000032.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\bckfg.tmp (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\cfg.ini (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\desktop.ini (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\keywords (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb3296$\1644588774\kwrd.dll (Backdoor.0Access) -> Delete on reboot. Physical Sectors Detected: 0 (No malicious items detected) (end) Link to comment Share on other sites More sharing options...
safety 8 Posted May 15, 2014 Share Posted May 15, 2014 later [2014.05.15 13:06:47.253] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Sirefef [2014.05.15 13:06:47.254] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.1.0.19 [2014.05.15 13:06:47.255] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: May 14 2014 [2014.05.15 13:06:47.256] - .::EE:::::::::::::SS:.EE..........TT...... [2014.05.15 13:06:47.256] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright © ESET, spol. s r.o. [2014.05.15 13:06:47.257] - ..::::::::::::::::::.................... 1992-2013. All rights reserved. [2014.05.15 13:06:47.257] - .................................... [2014.05.15 13:06:47.257] - [2014.05.15 13:06:47.257] - -------------------------------------------------------------------------------- [2014.05.15 13:06:47.257] - [2014.05.15 13:06:47.258] - INFO: OS: 6.1.7601 SP1 [2014.05.15 13:06:47.258] - INFO: Product Type: Workstation [2014.05.15 13:06:47.258] - INFO: WoW64: False [2014.05.15 13:06:47.259] - INFO: Machine guid: 9170B08A-C675-4C7C-AB89-3BA5A43E924D [2014.05.15 13:06:47.259] - [2014.05.15 13:06:47.268] - INFO: EULA Accepted [2014.05.15 13:06:47.268] - -------------------------------------------------------------------------------- [2014.05.15 13:06:47.268] - WARNING: ForcedMode Enabled [2014.05.15 13:06:47.269] - -------------------------------------------------------------------------------- [2014.05.15 13:06:47.269] - [2014.05.15 13:06:47.269] - -------------------------------------------------------------------------------- [2014.05.15 13:06:47.269] - INFO: Scanning for system infection... [2014.05.15 13:06:47.269] - -------------------------------------------------------------------------------- [2014.05.15 13:06:47.270] - [2014.05.15 13:06:47.271] - [2014.05.15 13:06:47.271] - INFO: Current Shell HKLM [explorer.exe]. [2014.05.15 13:06:47.272] - INFO: Current SubSystems [%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16]. [2014.05.15 13:06:47.273] - ERROR: ERR_GSP06 FFFFFFFFC0000022... [2014.05.15 13:06:47.273] - INFO: INF_CLDI01... [2014.05.15 13:06:47.273] - [2014.05.15 13:06:47.309] - [2014.05.15 13:06:47.312] - INFO: Removing remnants of Win32/Sirefef threat... [2014.05.15 13:06:47.887] - INFO: Directory scheduled to after reboot cleaning 1 - \??\C:\Windows\$NtUninstallKB3296$ [2014.05.15 13:06:48.392] - ............. [2014.05.15 13:06:49.712] - INFO: Win32/Sirefef was successfully scheduled to after reboot cleaning. [2014.05.15 13:07:08.592] - [2014.05.15 13:07:08.592] - -------------------------------------------------------------------------------- [2014.05.15 13:07:08.592] - INFO: System is rebooting... [2014.05.15 13:07:09.614] - -------------------------------------------------------------------------------- [2014.05.15 13:07:09.614] - INFO: Logging finished successfully... [2014.05.15 13:07:09.614] - --------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
safety 8 Posted May 15, 2014 Share Posted May 15, 2014 last check [2014.05.15 13:35:02.533] - INFO: Win32/Sirefef not found [2014.05.15 13:35:06.401] - -------------------------------------------------------------------------------- [2014.05.15 13:35:06.401] - INFO: Logging finished successfully... [2014.05.15 13:35:06.401] - -------------------------------------------------------------- and 15.05.2014 13:37:23 Оперативная память 275 0 0 Зaвepшeнo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 15, 2014 Administrators Share Posted May 15, 2014 So I assume the Sirefef leftovers were removed completely according to the log: [2014.05.15 13:06:47.312] - INFO: Removing remnants of Win32/Sirefef threat...[2014.05.15 13:06:47.887] - INFO: Directory scheduled to after reboot cleaning 1 - \??\C:\Windows\$NtUninstallKB3296$ Link to comment Share on other sites More sharing options...
safety 8 Posted May 15, 2014 Share Posted May 15, 2014 So I assume the Sirefef leftovers were removed completely according to the log: Yes, after this cleaning, anti-virus is not detected in the memory Sirefef check later on another topic. Link to comment Share on other sites More sharing options...
ESET Staff CB530 70 Posted May 15, 2014 ESET Staff Share Posted May 15, 2014 Hello everyone,The EsetSirefeCleaner tool has been updated to remove "leftovers" from older Sirefef variants when run using the /f switch. For step-by-step instructions to clean your system using the tool, please our Knowledgebase article. Link to comment Share on other sites More sharing options...
Recommended Posts