Infection by Sirefef Trojan (gen) disables Avast Web Shield & Mail Scanner

Good evening everyone,

 Just wanted to mention that about two weeks ago, during an SAS scan, a Sirefef Trojan  (gen) was detected on my computer.  It managed to not only disable the Avast AV (free) Web Shield  and Mail Scanner, but infected the [b]C:\WINDOWS\SYSTEM 32\DRIVERS\ipsec.sys[/b] file.  I'm guessing that during the removal process by SAS, the infected file was deleted altogether since afterward, I had no Internet access.

Spent $123.00 to get the computer fixed in a repair shop. Just wanted to make Avast staff aware of this issue since I obviously do not have the infected file to send them. Needless to say, I was quite surprised that Avast could be disabled so easily. :o

One question though: Is there any way to COPY the current ipsec.sys file to a flash drive then re-copy it to the aforementioned location if this type adverse event should occur again?

Regards,

First I never take detections for granted (gospel), confirm, confirm, confirm, before any deletion takes place. Check the files date of creation and last modified date, see images of the one on my XP Pro SP3 system, creation/last modified dates and MD5 hash number.

The older this is the less likely it has been infected, so needs further analysis, uploading to virustotal for further confirmation.

That file should have been sent to the SAS Quarantine and not actually deleted, check the Manage Quarantine button at the bottom left of the Main scan window. A scan by my SAS Pro on my file doesn’t detect anything.

Thanks very much for the feedback, David! I was the one who made the error of deleting the quarantined file from SAS. It was only later (after the machine was repaired) & I managed to find a few topics on the Sirefef Trojan, I learned I should have just left it in quarantine and done as you just mentioned. New lesson learned!

Thanks again! :slight_smile:

You’re welcome.

Never a good idea to delete too soon even for avast detections, as you say a lesson learned.

There is no rush to delete anything from the chest/quarantine, a protected area where it can do no harm. Anything that you send to the chest/quarantine you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

You also have virustotal as a backup with its 40+ scanners it can confirm or deny the validity of a detection.