Recover From The “win64/Sirefef.W” Virus Infection

Windows 92 Comments

boxelderbugRecently, the Microsoft Security Essentials (MSE) running on my Windows 7 64bit desktop detected the “win64/Sirefef.W” virus. The “win64/Sirefef.W” (or variants like “win64/Sirefef.Y” and “win64/Sirefef.B”) is a trojan which can install rootkits and other malicious programs onto your machine, in addition to providing security backdoors and other nasty stuff. On my machine, the “Windows/System32/services.exe” file was infected which is really bad because services.exe is used to launch essential Windows Services.

Unfortunately, MSE was unable to clean the “win64/Sirefef.W” virus after detecting it. In the middle of cleaning, the desktop rebooted. On restart, MSE detected the virus again and display a message saying that the machine needed to be rebooted in a minute. A minute later, the desktop rebooted, MSE once again detected the virus and displayed a reboot warning. This cycle looked to repeat endlessly, rendering my Windows 7 64bit desktop useless.

Manual intervention was necessary. Fortunately, I was able to dual-boot the infected desktop to run an older, clean Windows XP operating system. (If you don’t have a dual-boot, see comments for alternative methods to get a clean “services.exe” on your machine; search for JAKiii who updated Andre’s instructions.) More fortunate, I had a clean Windows 7 64bit operating system on my laptop. Using Windows XP, I was able to copy the clean “Windows/System32/services.exe” file from my laptop to the Windows 7 partition on my desktop (I left the corresponding “services.msc” alone). (Note: In the future, if I only had one machine, I would consider having a dual-boot of two Windows 7 operating systems; the first of which is for my day-to-day usage, and the second is a barebones install which is the reference install. I might considering ghosting just the barebone one for easy restore.)

After replacing “services.exe”, I was able to restart my Windows 7 64bit desktop without MSE detecting the virus and forcing a reboot. I then did a full scan with both MSE and Malwarebytes to ensure that the whole machine was clean. I thought the problem was solved, but “win64/Sirefef.W” had damaged Windows 7 by removing security-related Windows services.

I found that the Base Filtering Engine (BFE), Windows Firewall (MpsSvc), Windows Security Center (WscSvc), Windows Update (wuauserv), and Background Intelligent Transfer Service (BITS) services were missing. The “win64/Sirefef.W” virus had deleted their registry entries. To recover, I exported the following registry entries from my laptop and then imported them into my desktop:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE (Base Filtering Engine)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc (Windows Firewall)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess (Required by Windows Firewall)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WscSvc (Windows Security Center)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv(Windows Update)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS (Background Intelligent Transfer Service – required by Windows Update)

For your convenience, here is a zip file, SirefefMissingServicesRegistryFix.zip, containing the registry exports above and the clean “\Windows\System32\services.exe” file from my Windows 7 64bit Service Pack 1 (SP1) laptop. The registry exports have file extension “.reg” and you can import the services you are missing by double-clicking on them. (For those who don’t have SP1, John in comments provides a link to his services.exe for Windows 7 Home Premium in addition to instructions on how to extract a version from your Windows 7 install DVD. Please make sure to scan the file with your virus scanner before using. That advice applies to everything, including the zip file that I include above.)

There is an additional step to do below but at this point, we need to reboot once so that the registry changes can take effect and Windows will recognize the “new” services. On reboot, Windows will fail to start the Base Filtering Engine and Windows Firewall services. If you attempt to manually start them, you will encounter “error code 5” messages (see below), which are “access denied” errors. The fix for these access denied errors is to add the necessary permissions to the registry for each of the services. (You can try to avoid this reboot, but Windows may complain if you attempt to add permissions for services like BFE which it may not recognize without a reboot. In this case, just reboot and then repeat the add permission instructions.)


Update: Originally, I couldn’t set an NT service name as a user in the registry permissions so I suggested using the “Everyone” user with “Full Control” permission. While that worked, it left a big security hole. Fortunately, gvozden in the comments provided the solution. I have updated the instructions to replicate the original registry permissions exactly (as set on my laptop).

Do the following to add the necessary registry permissions:

  1. Run “regedit”.
  2. Browse to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy” section.
    • Right-click on “Policy” and select “Permissions…”. If you see a “BFE” user listed under the “Group or user names” list, you do not need to add it below.
    • Click the Add button, type “NT service\BFE” (it’s actually case-insensitive), and click the OK button.
    • Click the Advanced button, double-click on BFE to edit, and select the following in the allow permissions column: Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, and Read Control.
    • Click OK, OK, and OK to close the Permissions dialog.
  3. Browse to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess” section.
    • Right-click on “Epoch” and select “Permissions…”. If you see “MpsSvc” listed, you do not need to add it below.
    • Click the Add button, type “NT Service\MpsSvc”, and click the OK button.
    • Click the Advanced button, double-click on MpsSvc to edit, and select the following in the allow permissions column: Query Value and Set Value.
    • Click OK, OK, and OK to close the Permissions dialog.
  4. Repeat the steps above for “Epoch2”.
  5. (Note: I could run the Windows Firewall without permissions set on the following two registry keys; but on my laptop, they were set so I also set them on the desktop just in case.)
  6. Browse to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy” section.
    • Right-click on “FirewallPolicy” and select “Permissions…”. If you see “MpsSvc” listed, you do not need to add it below.
    • Click the Add button, type “NT Service\MpsSvc”, and click the OK button.
    • Click the Advanced button, double-click on MpsSvc to edit, and select the following in the allow permissions column: Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete, and Read Control.
    • Click OK, OK, and OK to close the Permissions dialog.
  7. Repeat the above for the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy” section.
  8. Reboot the machine.
  9. After the reboot, run “services.msc” and check that the “Base Filtering Engine”, “Windows Firewall”, “Security Center”, “Background Intelligent Transfer Service”, and “Windows Update” services are started successfully. The last three services are set to delayed start so they may not have started yet; in this case, you can manually start them.
  10. Run “Check security status” to see what Windows thinks about the security of the machine.
  11. Run “Windows Update” to get the latest security updates from Microsoft.

Note: The “Base Filtering Engine” depends on the “IPsec Policy Agent” and “IKE and AuthIP IPsec Keying Modules” services. Thankfully, the “win64/Sirefef.W” virus left these two services alone on my desktop.

If you prefer the command line, you can use the Service Control Manager “\Windows\System32\sc.exe” command line program instead of the “services.msc” program. Just run the “Command Prompt” as an administrator and input “sc” to see the command line options. Some useful ones I found were:

  • “sc qdescription wcssvc” which returns the human-friendly name “Windows Security Center” for “wcssvc”.
  • “sc query mpssvc” which returns the status for the “Windows Firewall” including recent exit codes.
  • “sc start bfe” which will attempt to start the “Base Filtering Engine” service.

I found the following websites helpful while researching this topic:

92 Comments