Inquiry regarding infection with Trojan, Gen Sirefef...

Good afternoon everyone,

 Back on Sunday, April 1st, I discovered via a scan with SAS, my computer had picked up a Trojan (the Sirefef variety).  [i](The computer was not displaying any odd behavior.  The scan is just something I have a habit of doing 2 or 3 times each day...especially after spending time on the Internet).[/i]  Although SAS removed some of it, this trojan somehow managed to:

1. Disable Avast’s Web Shield & Mail Scanner functions - and I was unable to restart them.
2. It prevented ANY access to the Internet with either Firefox or IE8.

Subsequent scans with Avast, SAS & MBAM came up clean, both in Normal Mode & Safe Mode. I tried System Restore back to a period 7 days earlier, to no avail. From what I saw in the SAS log, this trojan managed to delete out the ipsec.sys file. Two registry keys and 1 file on the HD (in C:\WINDOWS…) were listed as being affected as well.

Since this is the only computer I have, there was no option but to take it to a repair shop to get it fixed. (Without Internet access, I obviously could not obtain needed help here in the forums).

My question is this: Are there some methods I can use to neutralize this type of infection if it should occur again…and I am unable to access the Internet?

The repair shop’s charge was just over $123.00 to resolve the problems caused by this trojan. Living on a very limited fixed monthly income as I do…that $123.00 is a LOT of money to me. I must say also…I’m rather surprised this trojan was able to disable the two aforementioned parts of the Avast AV (free version).

Thank you for your time and any suggestions!

This is a very easy infection to remove, you should not have allowed SAS to do the removal as it does not know what repairs to do prior to removal

If you had come here with details of the infection then we could have removed it cleanly - even if it meant going online with an infected system

I appreciate the info, essexboy!

 Unfortunately, every time I attempted to get on the Internet, all I got was the typical page which said, "Internet Explorer cannot display the page."  Even while using Safe Mode with Networking, the result was the same.  If I had been able to get on, I would have posted about the issue here.  

*By the way…would there be any advantage to having my ISP install a router (which has a hardware firewall)? I.E. would that provide some improvement in security enhancement in addition to my Outpost Firewall Pro?

To be honest Firewalls are good but not that good, they are more of a second line of defence

Shame you did not have access to a second computer as we could have workjed via that

What did the shop do ?

Hi again essexboy,

Here is the word-for-word list on the invoice:

Nature of Service

Blow-out and vacuum inside
Advanced Diagnostic plus exam
Dell 3000
Boots ok
Ran ComboFix - removed 3, replaced missing ipsec.sys file
Rootkit check = 0
DTF
Disabled unnecessary programs in start-up
Uninstalled Bing Bar, CP
Ran malware cleaning programs

You’re right about it being a shame I don’t have a 2nd computer around. I have no doubt the problem I had could have been resolved in no time had I been able to get on the Internet & come here!

Best regards,

Hi essexboy,

There seems an important message and essential information to victims that you give here. In case of particular infections it is not advisable to run certain anti-malware programs because they could do more harm than good. Can you add this information in a sticky here in the “virus and worms”, so victims can take good notice of it. This thread seems to demonstrate how vital this information can be.

polonus

I agree. One of the advice I give, in the Spanish Forum to members complaining of an infection, is not to touch anything that Avast!, SAS or even MBAM find, and even less to use or clean temps files. I send them here if they know Inglish or to InfoSpyware in Spanish.

Not a bad idea - I will work on that over the weekend ;D

Here is another case why a sticky warning not to eliminate what it was found during a scan is so important.