Wednesday, June 4, 2014

Win32/Sirefef.GC – Vicious Behaviors and Recommended Removal Thread

remove Win32/Sirefef.GC Trojan horse

  • Aliases
  • Troubles from Win32/Sirefef.GC
  • How Win32/Sirefef.GC spreads?
  • Win32/Sirefef.GC’s vicious payloads
  • The purpose of Win32/Sirefef.GC
  • Effective thread to remove Win32/Sirefef.GC


Win32/Sirefef.GC can also be called as Trojan dropper,Max+++ and ZeroAccess Trojan. The appellation is different depending on the anti-virus program installed. No matter what it is called, Win32/Sirefef.GC is categorized as a Trojan horse and it is a recent variant of Sirefef family that started alive on the Internet appox. half a decade ago.

Troubles from Win32/Sirefef.GC

  1. One might receive the message "Error communicating with kernel”.
  2. The affected machine will not install/download security utilities.
  3. Browser mass emerges, one would see randomly popping up ads, hijacking/redirecting.
  4. Some message would pop up to ask for identity confirmation.
  5. The installed anti-virus program would detect Win32/Sirefef.GC but will not remove it.
  6. Additional computer threats can be expected before long.

How Win32/Sirefef.GC Spreads?

  1. Spam emails
    To hack email accounts, Win32/Sirefef.GC manages to earn trust and thus clicks on the attachment; of course the name of the attachment could be attractive.

  2. Infected removable drives
    To prevent Win32/Sirefef.GC from propagating through the removable devices, it is recommended by security company to disable Autorun.

  3. Bundled with other software
    VilmaTech Online Support has found that Trojan:Win32/Necurs family would drop the variants of Win32/Sirefef including Win32/Sirefef.GC. Some rogueware would also bring in the Trojan horse. 

  4. Hacked or compromised web pages
    It is advisable not to visit loosely built web page as the bugs are so obvious that can be readily exploited by virus. The following listed items have been detected to be together with Win32/Sirefef.GC:
  • PUP.Optional.BrowseFox.A
  • PUP.Optional.OptimizerPro.A
  • PUP.Optional.SmartBar.A 

Win32/Sirefef.GC Payloads 

Win32/Sirefef.GC is highly elusive, when it finally worms into a system, it will then create copies of the installed system file and then delete the source ones so that the machine and security system will not interrupt its evil deeds but instead execute harmful deeds. Usually, Win32/Sirefef.GC would create the copies of dll (Dynamic Link Library) files as such file control almost all resource. The following files have been found to be replaced:

Besides, some other files ended with “.sys” will be dropped by Win32/Sirefef.GC to in the %systemdrive%\windows\ folder so as to modify the drivers concerning security defense and other pivotal parts of a machine. As a consequence, the related hardware would be controlled and Win32/Sirefef.GC becomes capable of creating and running a new thread with its own program code within any running process. When all the files are put in place, Win32/Sirefef.GC becomes capable of:
  1. Downloading and running other files.
  2. Modifying DNS and contacting remote hosts to download additional items or and thus gain profitable income for its maker (%windir%\PCHealth\HelpCtr\Binaries\HelpSvc.exe has been detected).
  3. Disabling security features to prevent from being removed automatically and easily.

The Purpose of Win32/Sirefef.GC

Though damages will be easily detected when being under the attack by Win32/Sirefef.GC, ruin system is not its ultimate goal; instead, it is money. By loading down additional infections or items, the Sirefef Trojan horse manages to get commission. What’s worse, Win32/Sirefef.GC adopts keylogger to record the in-put information or direct people to some vicious web page to collect confidential information such as bank card, address, phone number, etc..

By selling such confidential information, Win32/Sirefef.GC could get a barrel of money or its maker could empty the bank account with the information.

Follow Recommended Thread to Remove Win32/Sirefef.GC

Bring up Task Manager to remove the items with the path directing to Win32/Sirefef.GC's according to the report by the installed anti-virus program.
(tip: if you are not able to access Task Manager with the key combination, please access Run box from Start menu and type “CMD”; hit Enter key to put in “taskkill.exe /im msblast.exe” or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe”)

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Win32/Sirefef.GC's path(according to the threat alert) or the path that doesn't belong to system.
select Colunms to tick PID and Path Name
(tip: if some vicious processes reappear, one could find the PPID through PID functionality; please then remove the parent process(es) with the command “taskkill /im system.exe /f” through DOS window.)

show hidden files and folders to remove the ones created by Win32/Sirefef.GC.

Windows 7/XP/Vista - Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.
turn off system restore to remove Win32/Sirefef.GC

  • Access the detected path and remove all the items there.
  • Remove the following listed files:
  • Access the following folders to remove the items generated on the day when  Win32/Sirefef.GC was firstly detected:
    (tip: if one owns Windows XP, it is suggested to execute the following steps after closing down System Restore function: right click on “My Computer”/”Computer” > Property > navigate to System Restore tab > tick “Turn off System Restore”)
C:\Users\[your username]\Documents\
C:\Program Files\

variable declarations
  • %SystemDriver% - the system division is "C:\" by default.          
  • %SystemRoot% - the directory of WINDOWS is known as“C:\Windows” by default.
  • %Documents and Settings% - the user's document is commonly referring to as “C:\Documents and Settings”.

Remove cookies from browser settings.

Internet Explorer
Tools icon > Safety > “Delete browsing history” option in > tick “Cookies” > “Delete” button.

Chrome ‘Customize and control’ menu > Tools > “Clear Browsing Data” option > tick “Delete cookies … “> “Clear browsing data”.

Tools menu > “Cookie Manager” > “Manage Stored Cookies” > remove all cookies.

Open up Opera and make it as the current browser > Alt+P key combination > Privacy and Safety > “Cookie” > click on “all cookies and website data” button.

Remove Temp files.

C:\Documents and Settings\[user name]\Local Settings\Temp
C:\Documents and Settings\[user name]\Local Settings\Temporary Internet File

Search for "PUP.Optional" and remove any detections.

Open up any folder > hit on the search icon/button > type “PUP.Optional to all the given blanks > press “Search button”.
search for the PUP.Optional dropped by Win32/Sirefef.GC

After removing Win32/Sirefef.GC with the above offered thread, one should also seek the corresponding solution in virus reservoir to the detected vicious items brought in by the Trojan so that its re-image can be greatly prevented. Be noted that what the above offers is the removal thread, it is impossible to list out all the related items out due to the fact that Win32/Sirefef.GC downloads items randomly and that the directories would be different from OS. Also one should be informed that all the solutions are only to remove Win32/Sirefef.GC thoroughly and completely. If one wants no Win32/Sirefef.GC again, one should pay extra attention when surfing on the Internet, downloading and installing random programs, follow good practices all the time. Yet it is hard to shun away from Win32/Sirefef.GC Trojan as it is an excellent disguiser.
get expert help in removing Win32/Sirefef.GC

No comments: