Jump to content

Over 2300 Hijack.Trojan.Siredef.C found with 3.0


Recommended Posts

A full scan with Rootkit Scan enabled yields over 2300 Hijack.Trojan.Siredef.C issues.  I couldn't find anything about Siredef but I did find information about Sirefef.  Perhaps there is a spelling error here.  Anyways, scans with Windows Defender, TDSSKiller, ESET Sirefef Removal Tool and Bitdefender Sirefef Removal Tool report the system as clean.

Scanning with Rootkit Scan disabled does not find anything.  Report attached.

MB False Positives 12-14-16.txt

Link to post
Share on other sites
  • Staff

Hello,

I am unable to reproduce the detection. Are you seeing anything strange like popups, advertisements playing through your speaker or anything like that?

I'd like to look at a couple logs which hopefully will show me what the issue is.

Please download the 64 bit version of FRST from this site & save it to your desktop:
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Once saved, right click it, choose run as administrator.

It takes a minute to load up as it creates a backup of your registry.

Once loaded, leave the settings as is & click "scan". This will take a few minutes.

Once complete, 2 logs will pop up. (FRST.txt, Addition.txt) Please attach them to your next reply. Logs will be saved in same directory you saved FRST tool to.

Please don't use it to "fix" anything. I just need the log info for now.

Thanks!

 

Link to post
Share on other sites
  • Staff

Thank you,

Not seeing anything nasty in your logs as you likely suspected.

Can you export this key please from the registry, zip it & attach?

HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001_Classes\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}

Thanks!
 

Link to post
Share on other sites
  • Staff

Thank you for all your patience :)

I am going to have one of the devs have a look at the info you provided so far so we can make sure to prevent this in the future. The detection is correct for that specific registry key but I am having trouble seeing why all those other traces were flagged.

Question for you..

Did you ever have an actual 0access, sirefef zaccess zeroaccess infection on this machine before? (depending on the variant of it or the app used to clean it, it may have been any one of those names). It would likely have been quite a while back if you did since this infection is old & rarely see it in the wild anymore.

Thanks!

Link to post
Share on other sites

Thanks for your help.  I never had an infection but Malwarebytes 2.0 detected that key only.  I had to add it to the exceptions list as I learned that that key is also a legitimate Microsoft key used for CD burning.  I've read about this key being reported as a false positive before.

Link to post
Share on other sites
  • Staff

Indeed that CLSID is legit for CD Burning... but it is the ones under HKLM. The one on your machine was under your user account. Normally that CLSID is not created under the user hives. It is possible a 3rd party burning program created it.
I can fix this pretty quick. I want to see though if the dev I asked to look wants anything further from you before I do fix the detection.

Link to post
Share on other sites
  • Staff

Hello again,

Another quick request if you can please.

If the following registry keys exist on your machine, can you export them one as well?

HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}
HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}
HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}

Shouldn't be much difference in them if they exist but I have seen stranger things happen :)

Thanks!

 

 

Link to post
Share on other sites
  • Staff

Hello again,

I have heard back from Nick. He is requesting some additional data to help resolve the issue you are seeing with the F/P detections.

Can you run a new scan with the latest definitions and rootkit scanning enabled. cancel the cleanup.

Then zip the following folders:

C:\ProgramData\Malwarebytes\MBAMService\config
C:\ProgramData\Malwarebytes\MBAMService\logs

Once zipped, please attach them in your reply along with the registry info above. 

Thanks!

Link to post
Share on other sites
  • Staff

Awesome. Thanks!

One more log & one more registry key if it still exists, then I'll quit bugging you until instructed otherwise.

Registry export:

HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12152016184438640_Classes\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}

Log:

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ScanResults\786d7a8f-c31f-11e6-baf9-64006a058ee5.json

Thanks again. :)

Link to post
Share on other sites
  • Staff

Hello again,

Nick had a look at the logs, tried to reproduce it but cannot. 

If you don't mind, he wants to get more detailed logging from MBAM.

Please enable MBAM's Event Log Data. HowTo:

Open MBAM > Click Settings> Application tab> Slide the Event Log Data switch to "on". Once it turns green, re-enable your rootkit scanning again & run a new scan.

Screenshot in case it is needed is attached.

Once you have cancelled this & hit "finish" on the scan, go ahead & turn Event Log Data/rootkit scanning off again. The event logging is likely pretty CPU intensive because it logs a lot more stuff during a scan so generally not recommended to have it on all the time.

Once all this is complete...

Please zip & attach the following:
C:\ProgramData\Malwarebytes\MBAMService\config
C:\ProgramData\Malwarebytes\MBAMService\logs

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ScanResults\latest log.json

Thanks!

 

eventlog-data.png

Link to post
Share on other sites

FYI - Removing the key...

HKEY_USERS\S-1-5-21-3954850271-3684721423-1578709394-1001_Classes\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}

prevents all 2300 + warnings from showing up and results in a clean scan.  I just thing that key is put there by legitimate software in my case.

Link to post
Share on other sites
  • Staff

Thank you for the update AlBlon,

I suspected it would be simple enough to just remove that key or set that key to always ignore in next scans (which should in theory also prevent the other traces from being detected).

Interesting though that even if I import that registry key & scan with rootkit scanning enabled, it is just that key that is detected.

I wonder though about another program you have installed. CryptoPrevent...
Since it sets up a pile of group policies and such to prevent ransomwares & many other malwares from installing and I believe it also alters permissions on certain registry keys to block anything from making malicious changes, it that would have any impact on how some AV/AS products "act" when reading certain keys, files, etc. (this is just a fleeting thought though)

Question for you is.. if you have the free version of CryptoPrevent or the Pay-for version?

If Pay-for version, have you set up any custom rules within the program? If so, what rule(s)?

Thanks!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.