Author Topic: win32/siref & win64/siref  (Read 13069 times)

0 Members and 1 Guest are viewing this topic.

Yzed

  • Guest
win32/siref & win64/siref
« on: October 10, 2013, 11:01:39 AM »
Hi

You will realise after reading this that I know my way around a computer, but only enough to get me into trouble, so dont think I'm actually understanding anything I'm saying...

I've recently found I had the malware "win32/siref" and "win64/siref". I only found it due to the windows firewall not being on and not able to be turned on, not being able to open the "securty service centre?", and not able to run windows update. After a quick internet search, I started virus scanning.

I ran the Windows MRT twice; Avast a number of times, both full and quick scans, and boot scan; SUPERantispyware(nothing but tracking cookies, let me know if you want that log too); This was all done in no sensible order, just random searches. A number of infected files were found, but I think the main offenders were the "sirif"ones. Java was also over-represented in the infected, and afer some quick searching I found I had an older, unsecure version. So I updated it, then removed the old version, then removed it again, then reistalled the update, then ran the old removal tool, then updated it again just to be sure.

After all this, I had a proper read on this site and downloaded the programs you guys say to run. I will post all logs that I can, hopefully in the order that they were scanned (cant work out how to make the Avast logs uploadable and not sure why I have to ADW logs, but i reckon you guys can figure it out)

 I now have the firewall back and I just updated, but I'm not convinced I've gotten rid of the virus. My Start Bar search function doesn't work, and when i run Microsft fixit, it says it can't detect the status of my firewall and it cant fix it. I also had the command prompt pop up after restarting from the OTL thing, a rough guess of what it said was "C:\user\*my name*\win32 c:(some characters and spaces) C:\user\*me again*\win32", not long after, the OTL logs popped up, so I'm hoping it was related to that.

It would be awesome if you guys could give me peace of mind (obviously I only want good news:) Thanks in advance, I hope I havent flooded you guys with to much info.

Another post after this with more logs

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #1 on: October 10, 2013, 11:53:39 AM »
Hi,


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
--------- next ----------





Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.
  • Select Yes if prompted to download the Avast database.
     
  • Click Scan
     
  • Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
    Note: do NOT attempt any Fix yet.


Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #2 on: October 10, 2013, 11:57:13 AM »
The other logs, and I forgot I also ran this Malware Bytes Anti Malware at some point.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #3 on: October 10, 2013, 11:59:21 AM »
Good. Preform FRST Scanning. FRST is big daddy for that stuff.  8)

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #4 on: October 10, 2013, 12:03:36 PM »
wow, you guys are quick!!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #5 on: October 10, 2013, 12:52:53 PM »


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{0379552d-6a7d-3420-15c3-87b35402090a}\   \...\???\{0379552d-6a7d-3420-15c3-87b35402090a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Users\Matt\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\Matt\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Matt\AppData\Local\Temp\Quarantine.exe
C:\Users\Matt\AppData\Local\Temp\ypx1ikz7.dll
MountPoints2: {44e82fc4-0900-11e0-8c12-705ab6bd8e2e} - E:\WIN\setup.exe
MountPoints2: {90e6f28a-e8f0-11e2-8103-00a0d5ffffae} - E:\Windows\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A01B06 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
MountPoints2: {eb66821b-9dea-11df-9a03-806e6f6e6963} - D:\autorun.exe
HKLM\...\Run: [] - [x]
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\TmBpIe64.dll No File
BHO-x32: TSToolbarBHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll No File
C:\Program Files\Trend Micro
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} -  No File
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\TmBpIe32.dll No File
Handler-x32: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension
FF HKLM-x32\...\Firefox\Extensions: [{38783831-6098-4faa-A9C9-1EE1E343F4D2}] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\
File: C:\windows\system32\drivers\bniprupv.sys
CMD: netsh winsock reset
CMD: ipconfig /flushdns
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


------------------ next ------------------


Re-run FRST and post me fresh FRST.txt log

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #6 on: October 10, 2013, 01:02:53 PM »
first FRST...

With the re-run. Do I press fix, or scan with the same settings as the first scan?

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #7 on: October 10, 2013, 01:07:32 PM »
This is a re scan with the "list BCD" and "Driver MD5" option selected.

The 2nd file in the post above is just a double up

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #8 on: October 10, 2013, 01:56:09 PM »
Hi,
You done it right. Options "list BCD" and "Driver MD5" are only important on initial scan. At each bext runing FRST, that is not important.
So you do not need anymore to check boxes, default setting are fine.  ;)


=> Do NOT attach any USB device while cleaning is in progress. We shall later check USB devices too for malware via MCShield tool...
=> Re-run this FRSTScript:


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
MountPoints2: {90e6f28a-e8f0-11e2-8103-00a0d5ffffae} - E:\Windows\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A01B06 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
BHO-x32: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\TmBpIe32.dll No File
Toolbar: HKLM-x32 - Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll No File
S1 bniprupv; \??\C:\windows\system32\drivers\bniprupv.sys [x]
C:\windows\system32\drivers\bniprupv.sys
U2 TMAgent;
C:\ProgramData\Trend Micro
C:\Program Files\Trend Micro
File: E:\Windows\AutoRun.exe
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #9 on: October 10, 2013, 02:38:32 PM »
I ran the fix offline this time, but my internet connection is via USB, so is it ok to keep it attached during the cleaning?

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #10 on: October 10, 2013, 02:48:53 PM »
I ran the fix offline this time, but my internet connection is via USB, so is it ok to keep it attached during the cleaning?

In that case, yes. We shall deploy USB scan right away and thereafter we're running tools to fix and repair all damage caused by this rootkit.



> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.





------- next --------



Please download ESET Services Repair tool, available here,  and save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
Post here created logreports.

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #11 on: October 10, 2013, 03:08:10 PM »
The MCShield scan was clear, but I still added the log, since I dont know what I'm looking at:)

I cant find the log for the services repair

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #12 on: October 10, 2013, 03:12:53 PM »
Quote
The MCShield scan was clear
This is good news.  :)

Quote
I cant find the log for the services repair
Then we shall check with one onother Farbar's tool to see is Services Repair did the job.


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



Tell me how is your computer behavior?

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #13 on: October 10, 2013, 03:23:41 PM »
so apparently "Bleeping Computer" is under DDOS attack(like I know what that means:) and has been taken offline. Is there another place to download the Fabar scanner?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: win32/siref & win64/siref
« Reply #14 on: October 10, 2013, 03:28:35 PM »
so apparently "Bleeping Computer" is under DDOS attack(like I know what that means:) and has been taken offline. Is there another place to download the Fabar scanner?
the site works fine from my iPad....