dw123 Posted October 17, 2012 I ran a routine scan and SAS found Trojan.Agent/Gen-Sirefef. Malwarebytes and Avast did not find them and those programs had updated definitions before I ran my scans. I quarantined the files in SAS. I read the sticky on how to report false positives but I am not sure how to do it after I quarantine the files. Can someone give me some guidance. I assume there is a way to report it without taking them out of quarantine and rescanning. Below are my scan results. Thanks!! ~~~~~~~~~~~~~~~~~~ SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 10/10/2012 at 11:00 PM Application Version : 4.55.1000 Core Rules Database Version : 8206 Trace Rules Database Version: 6018 Scan type : Complete Scan Total Scan Time : 00:50:40 Memory items scanned : 352 Memory threats detected : 0 Registry items scanned : 5725 Registry threats detected : 0 File items scanned : 24591 File threats detected : 10 Trojan.Agent/Gen-Sirefef C:\WINDOWS\$HF_MIG$\KB2503665\SP3QFE\AFD.SYS C:\WINDOWS\$HF_MIG$\KB2509553\SP3QFE\AFD.SYS C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS C:\WINDOWS\$HF_MIG$\KB951748\SP3GDR\AFD.SYS C:\WINDOWS\$HF_MIG$\KB956803\SP3GDR\AFD.SYS C:\WINDOWS\$HF_MIG$\KB956803\SP3QFE\AFD.SYS C:\WINDOWS\$NTUNINSTALLKB2503665$\AFD.SYS C:\WINDOWS\$NTUNINSTALLKB2509553$\AFD.SYS C:\WINDOWS\$NTUNINSTALLKB2592799$\AFD.SYS C:\WINDOWS\$NTUNINSTALLKB956803$\AFD.SYS Share this post Link to post Share on other sites
GuiltySpark Posted October 17, 2012 They are likely to be FP's. As they are updates/hotfixes for your XP machine. Share this post Link to post Share on other sites
dw123 Posted October 19, 2012 So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything. Thanks! Share this post Link to post Share on other sites
GuiltySpark Posted October 19, 2012 For a second opinion I would submit them as FP's and let SAS double check them to be sure. Share this post Link to post Share on other sites
SAS Customer Service Posted October 19, 2012 So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything. Thanks! Restoring them, running a scan and using the Report False Positive button at the end of the scan is the only way to submit as false positives for our definitions team to review. Share this post Link to post Share on other sites
jhmax Posted November 22, 2012 I also detected this infection and removed this infection on my xp partition during a scan on my windows 7 partition. i verified the infection was removed by doing a scan with superantispyware in windows 7 safe mode. Now i booted into my xp partition and my avast is not working properly, my windows firewall will not turn on, and cannot connect to the internet. I cannot submit a false positive i assume because i am using the free version, but any way here is my scan log, any help will be greatly appreciated and thank you very much in advance. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/22/2012 at 01:18 PM Application Version : 5.6.1014 Core Rules Database Version : 9629 Trace Rules Database Version: 7441 Scan type : Complete Scan Total Scan Time : 00:23:16 Operating System Information Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601) UAC Off - Administrator Memory items scanned : 381 Memory threats detected : 0 Registry items scanned : 70223 Registry threats detected : 0 File items scanned : 58062 File threats detected : 2 Trojan.Agent/Gen-Sirefef X:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS X:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS Share this post Link to post Share on other sites
GuiltySpark Posted November 22, 2012 Hi jhmax , You'll need to use the XP disc to fix/repair those lost files. You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV. Share this post Link to post Share on other sites
jhmax Posted November 23, 2012 Hi jhmax , You'll need to use the XP disc to fix/repair those lost files. You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV. Hi GuiltySpark, thank you for the reply. I looked on another forum while awaiting your reply and restored the files and this time did a scan from the xp partition and nothing was detected so was this a false positive? Share this post Link to post Share on other sites
GuiltySpark Posted November 23, 2012 Certainly looks like it Share this post Link to post Share on other sites
jhmax Posted November 24, 2012 Certainly looks like it Thank you very much for your help Share this post Link to post Share on other sites
Cherrielane Posted November 24, 2012 I also have this issue, ran SAS last night (I do run daily and MS updates are up to date). Put the three issues in quarantine, this AM my PC would not connect to the internet stating my IP was missing. I unquarantined the culprits, still unable to connect to internet until we ran a system restore. The 'Trojan' is back in my PC as this is the only way it will connect to the internet. I have just sent the false/positive report. My concern is; why is SAS just now picking this up if they have previously been reported as false/pos. ? Why did SAS not pick this up prior to last nights test? Should I stay off my PC and use my MacBook until they report back to me? Thanks a bunch... I notice my results on number of threats and where are a bit different then the others: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/23/2012 at 08:10 PM Application Version : 5.6.1014 Core Rules Database Version : 9631 Trace Rules Database Version: 7443 Scan type : Quick Scan Total Scan Time : 00:04:53 Operating System Information Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600) Administrator Memory items scanned : 597 Memory threats detected : 0 Registry items scanned : 32054 Registry threats detected : 2 File items scanned : 7015 File threats detected : 1 Trojan.Agent/Gen-Sirefef HKLM\System\CurrentControlSet\Services\AFD C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD Share this post Link to post Share on other sites
GuiltySpark Posted November 25, 2012 I don't think you have much to worry about there, but having issued a FP ticket I would wait for conformation if no reply after a week then you should contact them again to find out what's happening. Share this post Link to post Share on other sites
vk1drums Posted December 1, 2012 Over a week ago, I ran a full scan and ran into the same problem as above, although I deleted the files and tried retrieving them all later after vacation. I'm using my phone as I have no desktop internet connection. How do I fix the problem with my Windows XP disc, as registry files were also deleted and apparently restored with no change in connectivity whatsoever, along with firewall prompts of no display. Thank you! Share this post Link to post Share on other sites
vk1drums Posted December 1, 2012 Here's the screenshot of the FP files that were effected. Share this post Link to post Share on other sites
vk1drums Posted December 1, 2012 Sry, wouldn't attach. Share this post Link to post Share on other sites
vk1drums Posted December 2, 2012 Here's my results which have disconnected me from the Internet. Please help, thank you. HKLM\System\ControlSet001\Services\AFD C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_AFD HKLM\System\ControlSet002\Services\AFD HKLM\System\ControlSet002\Enum\Root\LEGACY_AFD HKLM\System\ControlSet004\Services\AFD HKLM\System\ControlSet004\Enum\Root\LEGACY_AFD HKLM\System\CurrentControlSet\Services\AFD HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD C:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS Share this post Link to post Share on other sites
GuiltySpark Posted December 2, 2012 Try a System Restore to before you ran the original scan. Share this post Link to post Share on other sites
vk1drums Posted December 3, 2012 I had applied system restore after restoring the above files. Also tried sfc /scannow and reset winsock and still no connection. The only file that came up after a secondary scan was the C:\WINDOWS\SYSTEM\DLLCACHE\AFD.SYS file. Share this post Link to post Share on other sites
GuiltySpark Posted December 3, 2012 Have a look in C:\Windows\system32\dllcache Copy the afd.sys file into C:\Windows\system32\drivers Then restart your machine and test net connection. Share this post Link to post Share on other sites
vk1drums Posted December 4, 2012 That did the trick! I also had to reset my firewall and load Windows Security Center into the registry as well, since the services had come up missing. Thanks for all of your assistance with this problem! Share this post Link to post Share on other sites
Romanejo Posted December 4, 2012 Similar problem in parallel section of forum, and my results, in case it helps anyone to know. https://forums.superantispyware.com/index.php?/topic/7001-trojanwin32sirefef/page__hl__gen-sirefef__fromsearch__1 Share this post Link to post Share on other sites