Jump to content


Photo

Trojan.Agent/Gen-Sirefef

Trojan.Agent/Gen-Sirefef

  • Please log in to reply
20 replies to this topic

#1 dw123

dw123

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 17 October 2012 - 09:49 PM

I ran a routine scan and SAS found Trojan.Agent/Gen-Sirefef. Malwarebytes and Avast did not find them and those programs had updated definitions before I ran my scans. I quarantined the files in SAS. I read the sticky on how to report false positives but I am not sure how to do it after I quarantine the files. Can someone give me some guidance. I assume there is a way to report it without taking them out of quarantine and rescanning.

Below are my scan results.

Thanks!!

~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/10/2012 at 11:00 PM

Application Version : 4.55.1000

Core Rules Database Version : 8206
Trace Rules Database Version: 6018

Scan type : Complete Scan
Total Scan Time : 00:50:40

Memory items scanned : 352
Memory threats detected : 0
Registry items scanned : 5725
Registry threats detected : 0
File items scanned : 24591
File threats detected : 10

Trojan.Agent/Gen-Sirefef
C:\WINDOWS\$HF_MIG$\KB2503665\SP3QFE\AFD.SYS
C:\WINDOWS\$HF_MIG$\KB2509553\SP3QFE\AFD.SYS
C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS
C:\WINDOWS\$HF_MIG$\KB951748\SP3GDR\AFD.SYS
C:\WINDOWS\$HF_MIG$\KB956803\SP3GDR\AFD.SYS
C:\WINDOWS\$HF_MIG$\KB956803\SP3QFE\AFD.SYS
C:\WINDOWS\$NTUNINSTALLKB2503665$\AFD.SYS
C:\WINDOWS\$NTUNINSTALLKB2509553$\AFD.SYS
C:\WINDOWS\$NTUNINSTALLKB2592799$\AFD.SYS
C:\WINDOWS\$NTUNINSTALLKB956803$\AFD.SYS

#2 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 17 October 2012 - 11:46 PM

They are likely to be FP's.

As they are updates/hotfixes for your XP machine.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#3 dw123

dw123

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 19 October 2012 - 07:03 PM

So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything.

Thanks!

#4 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 19 October 2012 - 08:35 PM

For a second opinion I would submit them as FP's and let SAS double check them to be sure.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#5 SAS Customer Service

SAS Customer Service

    Advanced Member

  • Moderators
  • 966 posts

Posted 19 October 2012 - 08:37 PM

So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything.

Thanks!


Restoring them, running a scan and using the Report False Positive button at the end of the scan is the only way to submit as false positives for our definitions team to review.
Customer Service
SUPERAntiSpyware
www.superantispyware.com

#6 jhmax

jhmax

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 22 November 2012 - 07:40 PM

I also detected this infection and removed this infection on my xp partition during a scan on my windows 7 partition. i verified the infection was removed by doing a scan with superantispyware in windows 7 safe mode. Now i booted into my xp partition and my avast is not working properly, my windows firewall will not turn on, and cannot connect to the internet. I cannot submit a false positive i assume because i am using the free version, but any way here is my scan log, any help will be greatly appreciated and thank you very much in advance.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/22/2012 at 01:18 PM

Application Version : 5.6.1014

Core Rules Database Version : 9629
Trace Rules Database Version: 7441

Scan type : Complete Scan
Total Scan Time : 00:23:16

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 381
Memory threats detected : 0
Registry items scanned : 70223
Registry threats detected : 0
File items scanned : 58062
File threats detected : 2

Trojan.Agent/Gen-Sirefef
X:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS
X:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS

#7 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 22 November 2012 - 08:33 PM

Hi jhmax ,

You'll need to use the XP disc to fix/repair those lost files.

You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#8 jhmax

jhmax

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 23 November 2012 - 12:41 AM

Hi jhmax ,

You'll need to use the XP disc to fix/repair those lost files.

You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV.


Hi GuiltySpark,
thank you for the reply. I looked on another forum while awaiting your reply and restored the files and this time did a scan from the xp partition and nothing was detected so was this a false positive?

#9 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 23 November 2012 - 02:41 PM

Certainly looks like it :)

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#10 jhmax

jhmax

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 24 November 2012 - 03:38 AM

Certainly looks like it :)


Thank you very much for your help

#11 Cherrielane

Cherrielane

    Newbie

  • Members
  • Pip
  • 2 posts
  • LocationPacific Islands

Posted 24 November 2012 - 11:43 PM

I also have this issue, ran SAS last night (I do run daily and MS updates are up to date). Put the three issues in quarantine, this AM my PC would not connect to the internet stating my IP was missing. I unquarantined the culprits, still unable to connect to internet until we ran a system restore.
The 'Trojan' is back in my PC as this is the only way it will connect to the internet. I have just sent the false/positive report.
My concern is; why is SAS just now picking this up if they have previously been reported as false/pos. ? Why did SAS not pick this up prior to last nights
test? Should I stay off my PC and use my MacBook until they report back to me?
Thanks a bunch...
I notice my results on number of threats and where are a bit different then the others:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/23/2012 at 08:10 PM

Application Version : 5.6.1014

Core Rules Database Version : 9631
Trace Rules Database Version: 7443

Scan type : Quick Scan
Total Scan Time : 00:04:53

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 597
Memory threats detected : 0
Registry items scanned : 32054
Registry threats detected : 2
File items scanned : 7015
File threats detected : 1

Trojan.Agent/Gen-Sirefef
HKLM\System\CurrentControlSet\Services\AFD
C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD

#12 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 25 November 2012 - 03:28 PM

I don't think you have much to worry about there, but having issued a FP ticket I would wait for conformation if no reply after a week then you should contact them again to find out what's happening.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#13 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 01 December 2012 - 10:28 PM

Over a week ago, I ran a full scan and ran into the same problem as above, although I deleted the files and tried retrieving them all later after vacation. I'm using my phone as I have no desktop internet connection. How do I fix the problem with my Windows XP disc, as registry files were also deleted and apparently restored with no change in connectivity whatsoever, along with firewall prompts of no display. Thank you!

#14 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 01 December 2012 - 10:36 PM

Here's the screenshot of the FP files that were effected.

#15 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 01 December 2012 - 10:41 PM

Sry, wouldn't attach.

#16 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 02 December 2012 - 03:57 PM

Here's my results which have disconnected me from the Internet. Please help, thank you.

HKLM\System\ControlSet001\Services\AFD
C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_AFD
HKLM\System\ControlSet002\Services\AFD
HKLM\System\ControlSet002\Enum\Root\LEGACY_AFD
HKLM\System\ControlSet004\Services\AFD
HKLM\System\ControlSet004\Enum\Root\LEGACY_AFD
HKLM\System\CurrentControlSet\Services\AFD
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD
C:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS

#17 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 02 December 2012 - 06:08 PM

Try a System Restore to before you ran the original scan.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#18 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 03 December 2012 - 12:42 AM

I had applied system restore after restoring the above files. Also tried sfc /scannow and reset winsock and still no connection.

The only file that came up after a secondary scan was the C:\WINDOWS\SYSTEM\DLLCACHE\AFD.SYS file.



#19 GuiltySpark

GuiltySpark

    Volunteer Mod

  • Moderators
  • 833 posts
  • LocationThe Space Between Two Points

Posted 03 December 2012 - 03:34 PM

Have a look in C:\Windows\system32\dllcache

Copy the afd.sys file into

C:\Windows\system32\drivers

Then restart your machine and test net connection.

                                                                                                           Using No Way - As Way, Having No Limitation - As Limitation.


                                                                                                                         Techstep123                            http://tgigeeks.net/

 

                                                                                                                         Anonysome Emporium                                T.I.M


#20 vk1drums

vk1drums

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 04 December 2012 - 03:41 AM

That did the trick! I also had to reset my firewall and load Windows Security Center into the registry as well, since the services had come up missing. Thanks for all of your assistance with this problem!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users