PDA

View Full Version : Win32/SIREF.EZ trojan



katharinem
14-06-2013, 01:47 AM
My husband installed Nod32 Esset because mail.com wouldn't open and microsoft security essentials icon had disappeared from right hand corner of taskbar - a popup box informed him that the file (MSE) could not be accessed by the
system. Nod32 found this - WINS32/SERIF.EZ Trojan. Any help please.

Speedy Gonzales
14-06-2013, 07:49 AM
Do you mean Sirefef? If you do, try this (http://kb.eset.com/esetkb/index?page=content&id=SOLN2895&locale=en_US)

It looks like it disables some services as well. Looks like its called zeroaccess botnet trojan too (http://en.wikipedia.org/wiki/ZeroAccess_botnet).


Try tdsskiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe), <- direct link, it looks like its a rootkit. See if that can remove it. This may also work, it's Symantec's zeroaccess removal tool (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixZeroAccess.exe) <- direct link. Disable system restore first

Once its removed majke sure windows is up to date (you may have to find out what services have been removed / disabled first)

Get farbar service scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/) (after you remove it). Run it tick all options then scan. Then copy and paste what comes up in here

katharinem
14-06-2013, 10:37 AM
Thanks. Busy today but hopefully will have time to at6tend to this. Where would he have picked it up do you think?

katharinem
14-06-2013, 11:04 AM
Yes it is Sirefef - start scan said it's in operating memory exe file and a number. Operating memory>>\GLOBAL??\ 81c70267\ WINDOWS\...\desktop.ini Threat a variant of SIREFEF.EZ Trojan

Speedy Gonzales
14-06-2013, 11:29 AM
Not too sure how he picked it up. It looks like you can get it if you dont update windows (it may exploit windows vulnerabilities (that you dont patch). But I would get the programs I posted then take it offline. Till you remove it

katharinem
06-07-2013, 01:32 PM
Sorry this has taken a while, been out of the country for three weeks. Your suggested fix worked - thank you!! below is the Farbar scan/result as requested. Computer has Kerio as firewall with Windows firewall disabled. Will appreciate greatly any info and help you can glean from the Farbar scan. Computer connects and runs fine now. Many thanks.

Farbar Service Scanner Version: 27-06-2013
Ran by len and kate (administrator) on 05-07-2013 at 15:44:01
Running from "C:\Documents and Settings\len and kate\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
************************************************** **************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
epfwtdir(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x090000000500000001000000020000000300000004000000 56000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

Speedy Gonzales
06-07-2013, 01:38 PM
Ok some services / registry entries are missing. I'll see if I can get them online

Speedy Gonzales
06-07-2013, 01:55 PM
Just sent you a PM Kath. If its not online give me an email in a PM, and I'll zip the reg files. When you receive the email unzip it then run each one, then reboot

Speedy Gonzales
06-07-2013, 05:09 PM
Zip file sent to email