CATEGORY: Malware

How to remove win64/sirefef.AE trojan & c:\windows\system32\services.exe win64 patched b.gen trojan

I’m kind of the default “go to” guy for all PC issues with friends and family. One of the most common problems people bring to me is malware. Going forward, I’m going to document the removal process for some of the more difficult ones I encounter.

The most difficult trojan I’ve encountered thus far is the sirefef.AE trojan. It infects the PC by replacing c:\windows\system32\services.exe which is pretty ingenious in that it’s extremely difficult to remove since Windows requires it and it’s always in use which keeps the antiviruses and applications from being able to remove it.

I just spent a few days battling this one and successfully cleaned it off the system.

To remove it:

  1. Run the ESET Online Scanner (http://www.eset.com/us/online-scanner/). Have it scan archives and let it remove whatever it finds.Side note: If you use Norton or McAfee for antivirus protection, now’s a good time to dump them for an antivirus that actually works and doesn’t hog resources: http://go.eset.com/r/7NQZN
  2. Run ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) in safe mode. It will find and remove some of the trojans already downloaded. Instructions are on the bleepingcomputer page on how to use it but for the most part it’s mostly automated.
  3. Download and install MalwareBytes (http://majorgeeks.com/download.php?det=5756). The free version will suffice. Run a full system scan and remove whatever it finds.
  4. You will need a Recovery Disc from Windows 7 for the next step. Make one on a non-infected computer if you don’t have one already.
  5. Download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save to a flash drive.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt

Uninstalling Trend Micro Client/Server Security without a Password

Lost or forgot your Trend Micro Client/Server Password? How about inheriting a computer that had the software installed by an IT team or consultant that won’t give up the password? I had to work on a network with the latter and it’s rather annoying. The product is utter crap as the machine is spyware infested even though the antivirus is running and present. I went to uninstall it but can’t because the previous person/company password protected it and nobody has it.

Here’s how to bypass the protection:

  1. Load up Regedit and browse to:
    HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\Allow Uninstall
  2. Change the value to 1.

Now you can uninstall TrendMicro’s crappy product and replace with a real solution like Eset.

There are no more results.