Help! a Trojan called: Trojan.Sirefef.K

Greeting!  Today 2:03 a Trojan called: Trojan.Sirefef.K
entered in to my computer, but was fortunately removed by F-Secure.

But this Trojan keeps coming back! So far it has made 37 attempts & 8 of those it has
failed to remove it! What should I do?



  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hi Incognito,


    Please configure Manual Scanning options then run a Full computer scan.

    - Settings > Manual Scanning > Scanning options:

    a. Uncheck Scan only known file types.

    b. Check Use advanced heuristics.

    - Actions: Quarantine the file.


    Best regards,


  • It Worked! Or at least I think it did…

    After I did as instructed, I made a full security scan and it found & guarantied
    few viruses, but it didn’t found any spyware. This is odd, since I assumed that
    Trojans are spywares and not viruses. Still I’m very grateful for your help!
    Good fortune & happy cyber surfing Smiley Happy

  • No wait it’s still in my computer! The
    F-Secure alarmed me again that it removed the Trojan.Sirefef.K.

    The same Trojan that it removed exactly 40 times already! I don’t understand this. My F-Secure
    is up to date and I’ve been done the full virus scan 3 times today!

    Is there anything else I can do?

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hi Incognito,


    Please provide the infection locations shown in your scanning report.




    Best regards,


  • How? I’m sorry but I’ve never done this before.

    I would greatly appreciate if you would post a step-by-step guide for me.


  • I found this text in scanning reports.

    Is This what you are looking for?


    Scanning Report 04 November 2011 16:13:33 - 17:05:58

    Computer name: DRAGON-PC
    Scanning type: Scan hard drives
    Target: C:\ D:\

    Result: 3 malware found


    • C:\Users\Sseeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\22679350-566ca262\support\SmartyPointer.class
    • C:\Users\Sseeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\22679350-566ca262
      Action: quarantined


    • C:\Users\Sseeth\AppData\Local\9ea44023\X Action: quarantined



    • Files: 349463
    • Not scanned: 18628


    • Viruses: 3
    • Spyware: 0
    • Suspicious items: 0
    • Riskware: 0


    • Disinfected: 0
    • Renamed: 0
    • Deleted: 0
    • Quarantined: 2
    • Failed: 0

    Boot Sectors:

    • Scanned: 6
    • Infected: 0
    • Suspicious items: 0
    • Disinfected: 0
  • It worked! It really worked this time! No more alert messages for me Smiley Happy

    Thank you Oiwa & Jayson for your most excellent help.

    However I would like to add a little detail that the file in question was
    actually a hidden file. Had to make it a viewable from the control panel first.
    Thank you again for your help Smiley Happy


    Good fortune & happy cyber surfing Smiley Happy


  • oiwa
    oiwa Posts: 3 Observer

    Hi Incognito,


    Good to hear you got it removed. Smiley Happy 


    Tbh i forgot to tell that usually those files are hidden. I always make system/hidden files viewable right after installing windows so i can see them all the time.


    This seems to be a newer version of this Trojan, as the files of older version were usually in system32 folder and there were also some registry-keys, you had to remove.


    I did a little forum-search and it seems that this keylogger has newer variants already. Smiley Sad

    Got to be more careful when surffing on... ehmm.. adult sites Smiley Very Happy


    Happy and safe surffing to you too! Smiley Happy





  • hi i also have had this problem and thanks to you guys i will get rid of it thank you

  • Luna99
    Luna99 Posts: 1

    Hi Oiwa


    I can see, that you´ve heard about Sirefef.C which is in the system32 folder. I have that virus and cannot remove it. I have tried a full computerscan as described earlier, but F-Secure didn´t quarantine the file. I have also tried booting in secure mode and remove the file manually, but Í get the message, that the files is open, so it can´t be deleted.


    Can you help? And if you can, I need to tell you, that I am not very computerskilled and English is my second language, so please very basic descriptions....


    And do you know, if it is safe for me to use the computer - netbanking etc.?


    Best regards


    Luna 99

  • klauzser
    klauzser Posts: 32 Observer

    I am sorry to tell you this, but I have it removed by a different AV. I won't be sharing it here, but I hope F-Secure will make updates real fast. image

  • oiwa
    oiwa Posts: 3 Observer

    Hi Luna99,


    I´m sorry this reply comes quite late. It´s been a while since i´ve been surffing on these forums. If you still have this problem, please post f-secure log file, and i can check it for you.



  • etomcat
    etomcat Posts: 147 Superuser



    When using Windows XP and the Windows' System Restore Folder feature is enabled, it is NOT possible to disinfect malware, because Windows will use its own cache to re-plant the files which the antivirus deletes or moves to quarantine. The malware just keeps coming back, no matter how many times it gets detected and disinfected.


    Some antivirus vendors use tricks, like asking the user to reboot and vanquishing the malware file during start-up time, when System Restore is not yet active. F-Secure does not do this, so it is necessary to disable Windows System Restore folders for all disk partitions (drives) before attempting to disinfect.


    (Windows System Restore folder functionality has been somewhat replaced with WinSxS in VIsta and Win7).


    Another possibility is for malware to come back from another infected computer, via network transfer, if there is a wired or Wi-Fi connection to the LAN.


    Best Regards, Tamas Feher from Hungary.

This discussion has been closed.
Pricing & Product Info