Author Topic: win32/siref & win64/siref  (Read 13077 times)

0 Members and 1 Guest are viewing this topic.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #15 on: October 10, 2013, 03:32:58 PM »
so apparently "Bleeping Computer" is under DDOS attack(like I know what that means:) and has been taken offline. Is there another place to download the Fabar scanner?

Hm...
Allow me check what's going on with BC. BC is legit and only official download link for sUBs' and Farbar's tool.


I've download copy of FSS and upload it into my FTP. Try to download it from here.
http://www.mcshield.net/personal/magna86/Temp/FSS.exe
[notice: this download link shall be remove upon completion of the case]

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #16 on: October 10, 2013, 03:34:30 PM »
They are back. It wasnt connecting before, and I ended up at their Facebook page where they said about the DDOS attack...

Log attached

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #17 on: October 10, 2013, 03:40:08 PM »
FSS log isn't good. It still shows some broken services.
Please re-run ESET Services Repair, allow repairs and rebooting computer. Then re-run FSS to see the services state after running ESET SR.

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #18 on: October 10, 2013, 03:52:55 PM »
Not sure that this one looks much better:(

I'm also going to have to go after this, as I have to get up early. I this hasn't fixed it, maybe we can keep at it tommorow sometime:)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #19 on: October 10, 2013, 03:56:47 PM »
Not sure that this one looks much better:(

I'm also going to have to go after this, as I have to get up early. I this hasn't fixed it, maybe we can keep at it tommorow sometime:)


Ok. I shall give you instruction for running Combofix. When CF finishes his scan&fix, re-run FSS again and post me fresh created FSS log together with Combofix log.

Done this when you have a time for this (tommorow?) as malware itself is removed. You are safe.







Scan with Combofix:
  • Please download ComboFix and save it to your Desktop.
    You may read how Combofix works here.

  • Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

  • Run ComboFix. Click on I Agree! & follow the prompts.
    Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

  • When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
    (typical log location: C:\ComboFix.txt )

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #20 on: October 10, 2013, 04:01:58 PM »
Ok I'll llet you know how it goes. Thank you very much for your time so far.

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #21 on: October 10, 2013, 11:10:20 PM »
There was no restart between the ComboFix and the FSS. Felt like I should have...

I still seem to have no Start Bar search. Not sure what else is missing. Windows Defender is turned off and says it needs to update definitions before scanning(I didnt do this as I dont want to change our scan results)

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #22 on: October 10, 2013, 11:33:45 PM »
Ran FSS after I restarted, just incase it changes anything.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #23 on: October 10, 2013, 11:45:49 PM »
CF did a good jobe.


Download    RemoteAccess.reg from the link below and save it to the system root partition ( C:\)
http://www.mcshield.net/personal/magna86/Temp/RemoteAccess.reg
Important: Full path of saved RemoteAccess file should be "C:\RemoteAccess.reg"

We shall use FRST to import that file into registry.






1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
CMD: reg import C:\RemoteAccess.reg
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


------- next -------


Re-run FSS tool and post me fresh created FSS.txt log

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #24 on: October 11, 2013, 01:54:48 AM »
When I open your link, I get a web page full of text. Do I copy that to notepad and save it as C:\RemoteAccess.reg? This is what I've done, and it looks alright, but I will wait for confirmation before I start it...

Another thing I've noticed is I can't save anything new to C:directory. I can save in document or downloads and other personal folders, then copy across(after clicking administrator permission button), but it says I dont have permission if I try to save directly.

I have to go to work now, so no need to rush with the reply.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #25 on: October 11, 2013, 12:04:43 PM »
Quote
Another thing I've noticed is I can't save anything new to C:directory
Have you try to reboot computer. Can you post me screenshot of that messages?


Click here and then download RemoteAccess.reg
http://www.mcshield.net/personal/magna86/Temp

.reg extensions is important as this is registry file. And then run the FRST. FRST will seek RemoteAccess.reg in C:\ .


Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #26 on: October 11, 2013, 12:20:28 PM »
This is what comes up if I try to save directly to C:\, after a bit more fiddling around, I found I could create a new folder and save it in there. Just not direct to C:drive. I've rebooted it a few times since I've noticed that problem and it doesnt change. I havent had trouble installing stuff onto C:\, so it may be just files that cause the issue.

Just to clarify with the "RemoteAccess.reg" Do I copy the text into notepad and save it as C:\RemoteAcess.reg, or is that link suppose to take me to a downloader/installer tool?

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #27 on: October 11, 2013, 12:30:42 PM »
Hm...let's try to do this on this way.

Download RemoteAccess.reg file to your Desktop. Double click on that file and on any pop-up click Yes/Ok/Merge ....
Re-run FSS and post me fresh log.


edit:
Here is another download link:
http://wikisend.com/download/371086/RemoteAccess.reg
« Last Edit: October 11, 2013, 12:33:05 PM by magna86 »

Yzed

  • Guest
Re: win32/siref & win64/siref
« Reply #28 on: October 11, 2013, 12:43:03 PM »
We're away again:)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: win32/siref & win64/siref
« Reply #29 on: October 11, 2013, 01:57:31 PM »
Ah, No, latest FSS log looks good.  8) We did the job.  ;)

It's time for post cleaning:

Fist, we need to remove content of FRST Quarantine.




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
DeleteQuarantine:
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt).
Note: If the tool warned you about the outdated version please download and run the updated version.

> I don't need FRST log report.


------- next -------





It is necessary to uninstall ComboFix :
  • Click Start (or ) then Run.


    On Windows7 or Vista you may use Start Search field if Run is not available.

  • In the line of text type in (Copy) the following:
Code: [Select]
ComboFix /Uninstall
    Note that there is a space between " ComboFix " and " /Uninstall " .

    • then click OK (or press Enter ).
    Wait for the uninstall process is complete.


    ------- next -------


    Please download DelFix by "Xplode" to your Desktop.

    Run the tool and check the following boxes below;
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore

    Now click on "Run" button. Wait for the programme completes his work.
    All the tools we used should be gone.
    Tool will create and open an log report (DelFix.txt)
    Note: The report will also be stored on C:\DelFix.txt


    > I don't need DelFix log report.



    ------- tips -------



    I recommended to keep Malwarebytes and to use MCShield if you will.
    You may download MCShield from one of the following links:

    MyCity -  Official download link
    Softpedija - Mirror download link

    It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
    And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.



    Be safe.