Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot remove win32.backdoor.sinowal


  • This topic is locked This topic is locked
4 replies to this topic

#1 JWill998

JWill998

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 30 March 2009 - 03:00 PM

Any help would be appreciated.
Have found very little info on win32.backdoor.sinowal but it seems only to be detected by AdAware and I have been unable to remove two copies. I run XP. After reading similar posts here, I have run HJT and ComboFix. Tried AVG and several programs all without success at eliminating these suckers. These logs have been saved.
Below is my DDS log as suggested by this forum. I can usually remove infections but not this time thus the first time request for help. Thanks!
DDS (Ver_09-03-16.01) - NTFSx86
Run by IBM USER at 12:51:07.64 on Mon 03/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.866 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IBM USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ibmuse~1\applic~1\mozilla\firefox\profiles\g55vkpbw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-2-19 12288]
R3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;c:\windows\system32\drivers\DLKRCB.SYS [2007-11-21 25434]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S4 AloPar;AloPar;c:\windows\system32\drivers\AloPar.sys [2007-11-27 5056]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-30 11:32 <DIR> a-dshr-- C:\cmdcons
2009-03-30 11:31 161,792 a------- c:\windows\SWREG.exe
2009-03-30 11:31 98,816 a------- c:\windows\sed.exe
2009-03-30 11:31 <DIR> --d----- C:\ComboFix
2009-03-27 06:33 13,240 a------- c:\windows\system32\drivers\slwdmsup.sys
2009-03-27 06:33 13,240 a------- c:\windows\system32\dllcache\slwdmsup.sys
2009-03-27 06:33 1,309,184 a------- c:\windows\system32\drivers\mtlstrm.sys
2009-03-27 06:33 1,309,184 a------- c:\windows\system32\dllcache\mtlstrm.sys
2009-03-27 06:33 286,792 a------- c:\windows\system32\slextspk.dll
2009-03-27 06:33 286,792 a------- c:\windows\system32\dllcache\slextspk.dll
2009-03-27 06:33 126,686 a------- c:\windows\system32\drivers\mtlmnt5.sys
2009-03-27 06:33 126,686 a------- c:\windows\system32\dllcache\mtlmnt5.sys
2009-03-27 06:33 180,360 a------- c:\windows\system32\drivers\ntmtlfax.sys
2009-03-27 06:33 180,360 a------- c:\windows\system32\dllcache\ntmtlfax.sys
2009-03-27 06:33 95,424 a------- c:\windows\system32\drivers\slnthal.sys
2009-03-27 06:33 95,424 a------- c:\windows\system32\dllcache\slnthal.sys

==================== Find3M ====================

2009-02-20 18:39 86,695 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-04 10:47 74,703 a------- c:\windows\system32\mfc45.dll
2008-02-04 15:03 30,520 a------- c:\docume~1\ibmuse~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:51:17.72 ===============

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 31 March 2009 - 03:40 PM

Hello.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 JWill998

JWill998
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 31 March 2009 - 04:10 PM

Thanks for the advice. Agree with you that reformatting is the only way to be sure. I don't bank or otherwise use this laptop
for this very reason. Appreciate your candor and it's refreshing to hear the reformat suggestion rather than spin my wheels
with several band aid remedies. Thanks again!

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 31 March 2009 - 05:12 PM

You're welcome.

Below are some prevention tips to help you in the future.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

If you have nothing else, I will close this topic in 2 days. Please reply back letting me know.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 02 April 2009 - 02:58 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users