Trojan.Agent/Gen-Sirefef

[dw123]

I ran a routine scan and SAS found Trojan.Agent/Gen-Sirefef. Malwarebytes and Avast did not find them and those programs had updated definitions before I ran my scans. I quarantined the files in SAS. I read the sticky on how to report false positives but I am not sure how to do it after I quarantine the files. Can someone give me some guidance. I assume there is a way to report it without taking them out of quarantine and rescanning.

Below are my scan results.

Thanks!!

~~~~~~~~~~~~~~~~~~

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/10/2012 at 11:00 PM

Application Version : 4.55.1000

Core Rules Database Version : 8206

Trace Rules Database Version: 6018

Scan type : Complete Scan

Total Scan Time : 00:50:40

Memory items scanned : 352

Memory threats detected : 0

Registry items scanned : 5725

Registry threats detected : 0

File items scanned : 24591

File threats detected : 10

Trojan.Agent/Gen-Sirefef

C:\WINDOWS\$HF_MIG$\KB2503665\SP3QFE\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB2509553\SP3QFE\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB2592799\SP3QFE\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB951748\SP3GDR\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB956803\SP3GDR\AFD.SYS

C:\WINDOWS\$HF_MIG$\KB956803\SP3QFE\AFD.SYS

C:\WINDOWS\$NTUNINSTALLKB2503665$\AFD.SYS

C:\WINDOWS\$NTUNINSTALLKB2509553$\AFD.SYS

C:\WINDOWS\$NTUNINSTALLKB2592799$\AFD.SYS

C:\WINDOWS\$NTUNINSTALLKB956803$\AFD.SYS

[GuiltySpark]

They are likely to be FP's.

As they are updates/hotfixes for your XP machine.

[dw123]

So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything.

Thanks!

[GuiltySpark]

For a second opinion I would submit them as FP's and let SAS double check them to be sure.

[SAS Customer Service]

So should I un-quarantine and run SAS again? Is there another way to confirm if it's a false positive. I did a web search and could not find anything.

Thanks!

Restoring them, running a scan and using the Report False Positive button at the end of the scan is the only way to submit as false positives for our definitions team to review.

[jhmax]

I also detected this infection and removed this infection on my xp partition during a scan on my windows 7 partition. i verified the infection was removed by doing a scan with superantispyware in windows 7 safe mode. Now i booted into my xp partition and my avast is not working properly, my windows firewall will not turn on, and cannot connect to the internet. I cannot submit a false positive i assume because i am using the free version, but any way here is my scan log, any help will be greatly appreciated and thank you very much in advance.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/22/2012 at 01:18 PM

Application Version : 5.6.1014

Core Rules Database Version : 9629

Trace Rules Database Version: 7441

Scan type : Complete Scan

Total Scan Time : 00:23:16

Operating System Information

Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)

UAC Off - Administrator

Memory items scanned : 381

Memory threats detected : 0

Registry items scanned : 70223

Registry threats detected : 0

File items scanned : 58062

File threats detected : 2

Trojan.Agent/Gen-Sirefef

X:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS

X:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS

[GuiltySpark]

Hi jhmax ,

You'll need to use the XP disc to fix/repair those lost files.

You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV.

[jhmax]

Hi jhmax ,

You'll need to use the XP disc to fix/repair those lost files.

You may also need to remove Avast AV with this : http://www.avast.com/uninstall-utility and then re-install the AV.

Hi GuiltySpark,

thank you for the reply. I looked on another forum while awaiting your reply and restored the files and this time did a scan from the xp partition and nothing was detected so was this a false positive?

[GuiltySpark]

Certainly looks like it

[jhmax]

Certainly looks like it

Thank you very much for your help

[Cherrielane]

I also have this issue, ran SAS last night (I do run daily and MS updates are up to date). Put the three issues in quarantine, this AM my PC would not connect to the internet stating my IP was missing. I unquarantined the culprits, still unable to connect to internet until we ran a system restore.

The 'Trojan' is back in my PC as this is the only way it will connect to the internet. I have just sent the false/positive report.

My concern is; why is SAS just now picking this up if they have previously been reported as false/pos. ? Why did SAS not pick this up prior to last nights

test? Should I stay off my PC and use my MacBook until they report back to me?

Thanks a bunch...

I notice my results on number of threats and where are a bit different then the others:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/23/2012 at 08:10 PM

Application Version : 5.6.1014

Core Rules Database Version : 9631

Trace Rules Database Version: 7443

Scan type : Quick Scan

Total Scan Time : 00:04:53

Operating System Information

Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 597

Memory threats detected : 0

Registry items scanned : 32054

Registry threats detected : 2

File items scanned : 7015

File threats detected : 1

Trojan.Agent/Gen-Sirefef

HKLM\System\CurrentControlSet\Services\AFD

C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD

[GuiltySpark]

I don't think you have much to worry about there, but having issued a FP ticket I would wait for conformation if no reply after a week then you should contact them again to find out what's happening.

[vk1drums]

Over a week ago, I ran a full scan and ran into the same problem as above, although I deleted the files and tried retrieving them all later after vacation. I'm using my phone as I have no desktop internet connection. How do I fix the problem with my Windows XP disc, as registry files were also deleted and apparently restored with no change in connectivity whatsoever, along with firewall prompts of no display. Thank you!

[vk1drums]

Here's the screenshot of the FP files that were effected.

[vk1drums]

Sry, wouldn't attach.

[vk1drums]

Here's my results which have disconnected me from the Internet. Please help, thank you.

HKLM\System\ControlSet001\Services\AFD

C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_AFD

HKLM\System\ControlSet002\Services\AFD

HKLM\System\ControlSet002\Enum\Root\LEGACY_AFD

HKLM\System\ControlSet004\Services\AFD

HKLM\System\ControlSet004\Enum\Root\LEGACY_AFD

HKLM\System\CurrentControlSet\Services\AFD

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD

C:\WINDOWS\SYSTEM32\DLLCACHE\AFD.SYS

[GuiltySpark]

Try a System Restore to before you ran the original scan.

[vk1drums]

I had applied system restore after restoring the above files. Also tried sfc /scannow and reset winsock and still no connection.

The only file that came up after a secondary scan was the C:\WINDOWS\SYSTEM\DLLCACHE\AFD.SYS file.

[GuiltySpark]

Have a look in C:\Windows\system32\dllcache

Copy the afd.sys file into

C:\Windows\system32\drivers

Then restart your machine and test net connection.

[vk1drums]

That did the trick! I also had to reset my firewall and load Windows Security Center into the registry as well, since the services had come up missing. Thanks for all of your assistance with this problem!

[Romanejo]

Similar problem in parallel section of forum, and my results, in case it helps anyone to know.

https://forums.superantispyware.com/index.php?/topic/7001-trojanwin32sirefef/page__hl__gen-sirefef__fromsearch__1