Help! a Trojan called: Trojan.Sirefef.K

Incognito

Greeting!  Today 2:03 a Trojan called: Trojan.Sirefef.K
entered in to my computer, but was fortunately removed by F-Secure.

But this Trojan keeps coming back! So far it has made 37 attempts & 8 of those it has
failed to remove it! What should I do?

 

[Deleted User]

Hi Incognito,

 

Please configure Manual Scanning options then run a Full computer scan.

- Settings > Manual Scanning > Scanning options:

a. Uncheck Scan only known file types.

b. Check Use advanced heuristics.

- Actions: Quarantine the file.

 

Best regards,

Jayson

Incognito

It Worked! Or at least I think it did…

After I did as instructed, I made a full security scan and it found & guarantied
few viruses, but it didn’t found any spyware. This is odd, since I assumed that
Trojans are spywares and not viruses. Still I’m very grateful for your help!
Good fortune & happy cyber surfing

Incognito

No wait it’s still in my computer! The
F-Secure alarmed me again that it removed the Trojan.Sirefef.K.

The same Trojan that it removed exactly 40 times already! I don’t understand this. My F-Secure
is up to date and I’ve been done the full virus scan 3 times today!

Is there anything else I can do?

[Deleted User]

Hi Incognito,

 

Please provide the infection locations shown in your scanning report.

 

Thanks.

 

Best regards,

Jayson

Incognito

How? I’m sorry but I’ve never done this before.

I would greatly appreciate if you would post a step-by-step guide for me.

 

Incognito

I found this text in scanning reports.

Is This what you are looking for?

 

Scanning Report 04 November 2011 16:13:33 - 17:05:58

Computer name: DRAGON-PC
Scanning type: Scan hard drives
Target: C:\ \

---

Result: 3 malware found

Java.Exploit.CVE-2010-0840.E
(virus)

• C:\Users\Sseeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\22679350-566ca262\support\SmartyPointer.class
• C:\Users\Sseeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\22679350-566ca262
  Action: quarantined

Trojan.Generic.6733232
(virus)

• C:\Users\Sseeth\AppData\Local\9ea44023\X Action: quarantined

---

Statistics

Scanned:

• Files: 349463
• Not scanned: 18628

Result:

• Viruses: 3
• Spyware: 0
• Suspicious items: 0
• Riskware: 0

Actions:

• Disinfected: 0
• Renamed: 0
• Deleted: 0
• Quarantined: 2
• Failed: 0

Boot Sectors:

• Scanned: 6
• Infected: 0
• Suspicious items: 0
• Disinfected: 0

oiwa

I had exact the same trojan on my computer. Nasty little keylogger....

 

It seems i got it removed.

 

What i did was a full system scan with settings mentioned earlier in this thread.

 

(F-secure will put infected files to quarantine but still after a while it will promt a message of infected file. However the files are actually quarantined.)

 

After a scan i rebooted my computer and searced those infected files mentioned in f-secure log.

 

In your case, according your log-file Trojan.Sirefef.K is located here. -->> C:\Users\Sseeth\AppData\Local\9ea44023\X

You can remove the whole folders starting from 9ea44023 folder.

 

If you cant remove the file/folder, boot your computer to safemode, by pressing F8 when your computer is restartting. Find the files, remove them manually and boot your computer normally.

 

I hope this helps.

 

-oiwa-

Incognito

It worked! It really worked this time! No more alert messages for me

Thank you Oiwa & Jayson for your most excellent help.

However I would like to add a little detail that the file in question was
actually a hidden file. Had to make it a viewable from the control panel first.
Thank you again for your help

 

Good fortune & happy cyber surfing

 

oiwa

Hi Incognito,

 

Good to hear you got it removed.  

 

Tbh i forgot to tell that usually those files are hidden. I always make system/hidden files viewable right after installing windows so i can see them all the time.

 

This seems to be a newer version of this Trojan, as the files of older version were usually in system32 folder and there were also some registry-keys, you had to remove.

 

I did a little forum-search and it seems that this keylogger has newer variants already.

Got to be more careful when surffing on... ehmm.. adult sites 

 

Happy and safe surffing to you too!

 

-oiwa-

 

 

the_human_ape

hi i also have had this problem and thanks to you guys i will get rid of it thank you

Luna99

Hi Oiwa

 

I can see, that you´ve heard about Sirefef.C which is in the system32 folder. I have that virus and cannot remove it. I have tried a full computerscan as described earlier, but F-Secure didn´t quarantine the file. I have also tried booting in secure mode and remove the file manually, but Í get the message, that the files is open, so it can´t be deleted.

 

Can you help? And if you can, I need to tell you, that I am not very computerskilled and English is my second language, so please very basic descriptions....

 

And do you know, if it is safe for me to use the computer - netbanking etc.?

 

Best regards

 

Luna 99

klauzser

I am sorry to tell you this, but I have it removed by a different AV. I won't be sharing it here, but I hope F-Secure will make updates real fast.

oiwa

Hi Luna99,

 

I´m sorry this reply comes quite late. It´s been a while since i´ve been surffing on these forums. If you still have this problem, please post f-secure log file, and i can check it for you.

 

-Oiwa-

etomcat

Hello,

 

When using Windows XP and the Windows' System Restore Folder feature is enabled, it is NOT possible to disinfect malware, because Windows will use its own cache to re-plant the files which the antivirus deletes or moves to quarantine. The malware just keeps coming back, no matter how many times it gets detected and disinfected.

 

Some antivirus vendors use tricks, like asking the user to reboot and vanquishing the malware file during start-up time, when System Restore is not yet active. F-Secure does not do this, so it is necessary to disable Windows System Restore folders for all disk partitions (drives) before attempting to disinfect.

 

(Windows System Restore folder functionality has been somewhat replaced with WinSxS in VIsta and Win7).

 

Another possibility is for malware to come back from another infected computer, via network transfer, if there is a wired or Wi-Fi connection to the LAN.

 

Best Regards, Tamas Feher from Hungary.