[Removal Thread] Win32/Sirefef.GC Is Not Removed by Anti-Virus Program

Generality of Win32/Sirefef.GC

Win32/Sirefef.GC is a Trojan horse that attacks Windows 32 bit computers. It comes from Sirefef family that features the capabilities of:

1. Dropping down additional items on a targeted machine.
2. Connecting to the designated URL/port to execute more orders.
3. Disguising itself as a normal item to trap for trust and prevent automatic removal.
4. Stealing confidential information.

It is quite troublesome to get infected by Win32/Sirefef.GC as many more unknown items will be installed without permission to consume plenty of internal resource, leaving little to hinder pivotal parts of a system to fully play.
 

Findings by VilmaTech

One

PUP.Optional.BrowseFox.A, PUP.Optional.OptimizerPro.A and PUP.Optional.SmartBar.A have been found to be always with Win32/Sirefef.GC affection. This implies that Win32/Sirefef.GC is bundled with some software, adware and other web applications for propagation; besides, the Sirefef Trojan is willing to cooperate with other items and have them, for example help with the modification work such as modifying DNS settings so that some vicious deeds will not be hindered or detected by the build-in security defense system.
 
Two

The following files have been found to be replaced by the items generated and deleted by Win32/Sirefef.GC to confuse the affected machine:

c:\windows\system32\eventlog.dll
c:\windows\system32\logevent.dll
c:\windows\system32\cngaudit.dll
c:\windows\system32\logevent.dll

They are .dll (Dynamic Link Library) files with the capability of assigning multiple tasks at one time. By doing so, any click on executable files will activate Win32/Sirefef.GC, prevent the machine as well as victims from tracking it down and enable the Sirefef Trojan horse to modify the drivers concerning critical part of a system as well as write its running into background processes.
 
Three

Win32/Sirefef.GC seldom adopts keyloggers to record confidential information; instead, it directs people to some unsafe destinations or attacks the JavaScript of loosely programmed web sites such as websearch.com, using JS and BHO techniques to record any in-put information or asking victims to fill out a form with confidential information such as card number, address, etc..

In sum, Win32/Sirefef.GC is so highly elusive that anti-virus programs are not able to remove it completely and thoroughly. Manual way is thus recommended. However, certain level of computer skills and virus knowledge is required to carry out the following offered removal thread without being confused by some vicious items resembling system ones. Should you need specialized technical help, just start a live chat here.

 

Manual Thread to Remove Win32/Sirefef.GC

1.    end the processes related to Win32/Sirefef.GC.

• Press down Win key and R key together to get Run box.
• Put in “CMD” and hit Enter key to get a little black window.
• Type “taskkill.exe /im msblast.exe” (or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe” according the OS installed) to the place where a line is flashing and hit Enter key.
• When the Task Manager pops up, please hit on View tab to select “Select Colums”.
  
• In the next window, please check “PID” and “Path name” so as to check the processes according to the directories.
• End the related processes related to Win32/Sirefef.GC.

 
 
2.    end the services related to Win32/Sirefef.GC.

Windows7/vista/XP

• Get the Run box and put in “services.msc”.
  
• Hit Enter key will access the service window.
• Remove/disable the service with the directory directing to Win32/Sirefef.GC’s location according to the warning alert by the installed anti-virus program.

 
Windows 8

• Access Windows Explorer to select Administrative tools.
• Double click on Services icon and remove/disable the service with the directory directing to Win32/Sirefef.GC’s location according to the warning alert by the installed anti-virus program.
  

 
 
3.    show hidden files and folders to remove the ones related to Win32/Sirefef.GC.

Windows 7/XP/Vista

• Access ‘Control Panel’ to click open “user accounts and family safety”.
• Please then choose ‘Folder Options’ to hit its View tab.
• Next tick ‘Show hidden files and folders’ and non-tick ‘Hide protected operating system files (Recommended)’.
• Press ‘OK’ button will show all hidden items.
  

 
Windows 8

• Access Windows Explorer and browse to View tab.
• Tick ‘File name extensions’ and ‘Hidden items’.
• Press ‘OK’ button will show all hidden items.
  

 
a.    remove temp files.

C:\WINDOWS\Temp
C:\Documents and Settings\[user name]\Local Settings\Temp
C:\Documents and Settings\[user name]\Local Settings\Temporary Internet File

 
b.    remove the items generated by Win32/Sirefef.GC when and after the Trojan was firstly flagged by the installed anti-virus program.

To identify the ones generated when and after the Trojan was firstly flagged by the installed anti-virus program, one should:

• Right click on the space of the window you are inspecting to hover mouse over “Arrange by”.
• Select “Day” I the drop-down list and the file will be arranged automatically and chronologically.
  

When done, please navigate to the following directories respectively and remove the related ones:

%SystemDriver%\
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\

 
 

Purpose of Win32/Sirefef.GC

The ultimate purpose of Win32/Sirefef.GC is money even though it never stops dropping down additional suspicious items and virus to damage a machine. Actually, by dropping down virus, Win32/Sirefef.GC could gain profitable commission. Besides, as the online marketing becomes more and more competitive, online operators thirst for PC users’ information for better promotion. By selling the recorded information to them, Win32/Sirefef.GC can get a large sum of money.
 

Win32/Sirefef.GC Removal Tips

As Win32/Sirefef.GC rages recently and it owns wide range of dissemination routines, any carelessness would end up with Win32/Sirefef.GC again even though a complete and thorough removal was made. Therefore, it is recommended to remove the additional items dropped down by the Sirefef Trojan in the process.

Be noted that what offered above is removal thread, it helps you to find out the related items rather than offering the exact ones for victims, which is impossible as the name of the dropped down items could vary from one OS to another. Should you need exclusive help according to your concrete situation, it is recommended to contact Vilmatech Online Support by starting a live chat here.

 

Create A Restore Point

It is advisable to create a restore point after removing Win32/Sirefef.GC completely and the additional items. It is hard to guarantee that no affection will happen in the future as cyber criminals keep attacking the Internet in an attempt to get money greedily. Once the next affection occurs, restore to the previous point would at least alleviate mechanical troubles when it isn’t able to kill the infection, so that the quick removal could prevent further harms effectively. Here’s the video to show how:

Published & last updated on April 22, 2020 by Erik V. Miller