Jump to content

Cleaning Win32/Sirefef trojan


Go to solution Solved by Marcos,

Recommended Posts

Hi

 

Earlier today ESET NOD32 came up with a message indicating that the Win32/Sirefef trojan was found in the operating memory. I have tried several things found on the internet, but none worked. I also ran the Windows Malicious Software Removal Tool, and it actually detected malware, but upon a restart ESET gave the same error.

 

What really baffles me is that ESET gives no option to clean or even quarantine or send for analysis on the trojan; all option i have is "No action".

 

Could someone please try to assist me in attempting to remove the trojan?

 

System Specs:

Windows 7 Home Premium 32-bit Service Pack 1

Pentium Dual-Core E6700 3.20 GHz

RAM: 4.00 GB (2.71 usable)

OS installed on 371 GB partition of 500 GB drive, 1 TB external drive connected

ESET NOD32 Antivirus version 7.0.302.26

Link to comment
Share on other sites

Hello,

 

I've run into the same thing as the op - NOD32 puts up a warning that Win32/Sirefef Trojan was found in the operating memory.

 

I've run the Sirefef cleaner that Marcos linked above twice (2 reboots for each time), but I'm still getting the warning.

 

I had this virus before (about a year ago or so), and successfully removed it with a tool I downloaded from ESET. But I can't seem to get rid of it this time.

 

My PC doesn't exhibit any of the symptoms for this virus, just the warning from NOD32. I wonder if this might be a false positive?

Link to comment
Share on other sites

I have the exact problem that Darxicus reported. When I download and run the executable from the link posted by Arakasi, I get the following result:

 

Scanning for system infection...

---------------------------------------

Threat Not Found

You don't have Win32/Sirefef in your system. [Press Any Key]

Link to comment
Share on other sites

I have also run the executable with the /f switch as Marcos suggested. The program ran and the computer rebooted. I was prompted to run the program again, I did so and the computer rebooted again and started up normally. However, the threat alert remains and ESET reports the trojan is present when I scan operating memory.

Link to comment
Share on other sites

I can only suggest possibly phoning in to support and letting them take samples if its a new variant.

They may help you with the cleaning process as well after license verification. ;)

Marcos may have more to add so stick around just in-case.

Link to comment
Share on other sites

Thank you, Arakasi, for the reply. I had the software do a Customer Care support submission with registry and all of the other information it gathers. I hope to hear from someome tomorrow.

Link to comment
Share on other sites

  • Administrators

We're planning to release an updated version of the Sirefef cleaner within a couple of hours which will remove Sirefef remnants from the disk even if Sirefef is no longer active in the system.

Link to comment
Share on other sites

Darxicus, I couldn't get the removal tool to work for me, either. I called ESET San Diego and it was necessary for them to take remote control of my machine and manually clean the trojan. The process was painless and quick and the reps were professional and friendly.

Link to comment
Share on other sites

utility Falls v 1.1.0.19

 

 

[2014.05.14 22:34:00.671] - 

[2014.05.14 22:34:00.703] - 
[2014.05.14 22:34:00.703] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.14 22:34:01.375] - 
[2014.05.14 22:34:01.375] - INFO: Win32/Sirefef was successfully removed from your system.
[2014.05.14 22:34:01.375] - --------------------------------------------------------------------------------
[2014.05.14 22:34:01.375] - INFO: Logging finished successfully...
[2014.05.14 22:34:01.375] - --------------------------------------------------------------------------------
 
after a new scan

 

[2014.05.14 22:35:35.062] - 

[2014.05.14 22:35:35.078] - 
[2014.05.14 22:35:35.078] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.14 22:35:35.109] - 
[2014.05.14 22:35:35.109] - INFO: Win32/Sirefef was successfully removed from your system.
[2014.05.14 22:35:35.109] - --------------------------------------------------------------------------------
[2014.05.14 22:35:35.109] - INFO: Logging finished successfully...
[2014.05.14 22:35:35.109] - --------------------------------------------------------------------------------
 
 
 
Scan Log
Version of virus signature database: 9799P (20140514)
Date: 14.05.2014  Time: 22:27:06
Scanned disks, folders and files: Operating memory
Number of scanned objects: 389
Number of threats found: 0
Time of completion: 22:27:40  Total scanning time: 34 sec (00:00:34)
 
 
 
 
 

 

Link to comment
Share on other sites

Darxicus, I couldn't get the removal tool to work for me, either. I called ESET San Diego and it was necessary for them to take remote control of my machine and manually clean the trojan. The process was painless and quick and the reps were professional and friendly.

I may try that

Link to comment
Share on other sites

in this topic

hxxp://forum.esetnod32.ru/forum6/topic10845/

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.05.14.02
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.17107
Computer :: GIN [administrator]
 
14.05.2014 12:54:18
mbar-log-2014-05-14 (12-54-18).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 286246
Time elapsed: 29 minute(s), 53 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 4
c:\windows\$ntuninstallkb3296$\1644588774 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\l (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\194118127 (Backdoor.0Access) -> Delete on reboot.
 
Files Detected: 13
c:\windows\$ntuninstallkb3296$\1644588774\l\xadqgnnk (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\00000001.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\00000002.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\00000004.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\80000000.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\80000004.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\80000032.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\bckfg.tmp (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\cfg.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\desktop.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\keywords (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\kwrd.dll (Backdoor.0Access) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
Link to comment
Share on other sites

later

 

[2014.05.15 13:06:47.253] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Sirefef
[2014.05.15 13:06:47.254] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.1.0.19
[2014.05.15 13:06:47.255] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: May 14 2014
[2014.05.15 13:06:47.256] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.05.15 13:06:47.256] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.05.15 13:06:47.257] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.05.15 13:06:47.257] -     ....................................
[2014.05.15 13:06:47.257] - 
[2014.05.15 13:06:47.257] - --------------------------------------------------------------------------------
[2014.05.15 13:06:47.257] - 
[2014.05.15 13:06:47.258] - INFO: OS: 6.1.7601 SP1
[2014.05.15 13:06:47.258] - INFO: Product Type: Workstation
[2014.05.15 13:06:47.258] - INFO: WoW64: False
[2014.05.15 13:06:47.259] - INFO: Machine guid: 9170B08A-C675-4C7C-AB89-3BA5A43E924D 
[2014.05.15 13:06:47.259] - 
[2014.05.15 13:06:47.268] - INFO: EULA Accepted
[2014.05.15 13:06:47.268] - --------------------------------------------------------------------------------
[2014.05.15 13:06:47.268] - WARNING: ForcedMode Enabled
[2014.05.15 13:06:47.269] - --------------------------------------------------------------------------------
[2014.05.15 13:06:47.269] - 
[2014.05.15 13:06:47.269] - --------------------------------------------------------------------------------
[2014.05.15 13:06:47.269] - INFO: Scanning for system infection...
[2014.05.15 13:06:47.269] - --------------------------------------------------------------------------------
[2014.05.15 13:06:47.270] - 
[2014.05.15 13:06:47.271] - 
[2014.05.15 13:06:47.271] - INFO: Current Shell HKLM [explorer.exe].
[2014.05.15 13:06:47.272] - INFO: Current SubSystems [%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16].
[2014.05.15 13:06:47.273] - ERROR: ERR_GSP06 FFFFFFFFC0000022...
[2014.05.15 13:06:47.273] - INFO: INF_CLDI01...
[2014.05.15 13:06:47.273] - 
[2014.05.15 13:06:47.309] - 
[2014.05.15 13:06:47.312] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.15 13:06:47.887] - INFO: Directory scheduled to after reboot cleaning 1 - \??\C:\Windows\$NtUninstallKB3296$
[2014.05.15 13:06:48.392] - 
.............
 
[2014.05.15 13:06:49.712] - INFO: Win32/Sirefef was successfully scheduled to after reboot cleaning.
[2014.05.15 13:07:08.592] - 
[2014.05.15 13:07:08.592] - --------------------------------------------------------------------------------
[2014.05.15 13:07:08.592] - INFO: System is rebooting...
[2014.05.15 13:07:09.614] - --------------------------------------------------------------------------------
[2014.05.15 13:07:09.614] - INFO: Logging finished successfully...
[2014.05.15 13:07:09.614] - ---------------------------------------------------------------------------
Link to comment
Share on other sites

last check

 

[2014.05.15 13:35:02.533] - INFO: Win32/Sirefef not found 
[2014.05.15 13:35:06.401] - -------------------------------------------------------------------------------- 
[2014.05.15 13:35:06.401] - INFO: Logging finished successfully... 
[2014.05.15 13:35:06.401] - --------------------------------------------------------------

 

and

 

15.05.2014 13:37:23 Оперативная память 275 0 0 Зaвepшeнo

Link to comment
Share on other sites

  • Administrators

So I assume the Sirefef leftovers were removed completely according to the log:

 

[2014.05.15 13:06:47.312] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.15 13:06:47.887] - INFO: Directory scheduled to after reboot cleaning 1 - \??\C:\Windows\$NtUninstallKB3296$
Link to comment
Share on other sites

 

So I assume the Sirefef leftovers were removed completely according to the log:

 

Yes, after this cleaning, anti-virus is not detected in the memory Sirefef 

check later on another topic.

Link to comment
Share on other sites

  • ESET Staff

Hello everyone,

The EsetSirefeCleaner tool has been updated to remove "leftovers" from older Sirefef variants when run using the /f switch. For step-by-step instructions to clean your system using the tool, please our Knowledgebase article.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...