Jump to content
Pickums1283

Malware Detection and User Account

Recommended Posts

Hello:

I am a long time user of SAS, currently running a limited account on Windows XP. Earlier I ran a full scan under the limited account and it detected

Trojan.Agent/Gen-Sirefef.Process,

C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS.

I can't find much information on the trojan or the file it was detected in.

HOWEVER, I signed into my Administrative account and found the file and it seems like it is a legitimate Microsoft file. I ran SAS under the administrative account and it came up clean. So I switched back over to my account, scanned the Windows folder again, and once again Trojan.Agent/Gen-Sirefef.Process, found in C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS was detected. Ran another administrative account scan of the Windows folder, it comes up clean. Directly scanned the file itself under Adm. and it came up clean. I don't understand why it keeps coming up clean under an administrative account, but as dirty under the limited account. All of my other software programs have come up clean (Avira, Malwarebytes, Spybot, Blacklight Rootkit) and I ran the file through Virus Total and Jotti and both came up clean. Each SAS scan I ran, I made sure the program was completely up to date.

Any help?

Thanks,

Nikki

ETA: Another scan under the limited account with SAS detected two more threats, as well as the original, but 0 threats with the administrator account:

Trojan.Agent/Gen-Sirefef

C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS

C:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS

Trojan.Agent/Gen-Orsam

C:\WINDOWS\SYSTEM32\DLLCACHE\NETBT.SYS

Share this post


Link to post
Share on other sites

Hi,

I am having the same issue. When I run SAS under a limited account in Win XP Pro it finds Trojan.Agent/Gen-Sirefef in the afd.sys file in three places:

C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB956803\SP2QFE\AFD.SYS

C:\WINDOWS\$NTSERVICEPACKUNINSTALL$\AFD.SYS

When I scan under an administrative account, SAS does not flag afd.sys. I also scanned with Avast, MBAM, and TrendMicro's Housecall and none of them flagged afd.sys.

Thanks.

Share this post


Link to post
Share on other sites

karras-

Which version of SAS are you using? I updated to SAS 5 on Jan 11 and am no longer getting these threats.

It's still strange why these threats kept popping up, and only under the limited accounts. I didn't start getting them until around January.

Share this post


Link to post
Share on other sites

Now I'm getting the Trojan.Agent/Gen-Orsam warning for C:\WINDOWS\$NTSERVICEPACKUNINSTALL$\NETBT.SYS. I didn't get it last week. Anyway ...

I am running SAS free edition, version 4. I'll try updating to version 5.

Thanks.

Share this post


Link to post
Share on other sites

I had a few detections that came up once in a scan and never again after that. They were:

Trojan.Agent/Gen-Orsam

C:\WINDOWS\SYSTEM32\DLLCACHE\NETBT.SYS

Trojan.Agent/Gen-Sirefef

C:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS

Trojan.Agent/Gen-Sirefef

C:\SYSTEM VOLUME INFORMATION\_RESTORE{D1C3F180-D2CB-4F68-B0AD-E8AD83F01364}\RP793\A0090175.SYS

Trojan.Agent/Gen-Bumat

C:\WINDOWS\$NTUNINSTALLKB932716-V2$\CDROM.SYS

The only one that consistantly showed up in every scan under the limited account was Trojan.Agent/Gen-Sirefef in C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS. But I have ran about 6 scans since updating to the latest version and each one has only come up with tracking cookies. I am still a little reluctant to do certain things with my computer since receiving these threats, but it sounds like if you are having these problems as well and they disappear with the upgrade, it may have been a bug with that version. I can't seem to find any information out about it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×