Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sinowal virus - Don't think it has been removed


  • Please log in to reply
18 replies to this topic

#1 in_need_of_help

in_need_of_help

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 06:18 AM

Hiya
I was recently infected with Sinowal.E virus that was discovered by Avira and was causing my PC to freeze after approx. 10-15minutes of use. As instructed by the Avira scan, I attempted to run the boot sector repair tool that I downloaded from Avira website but this showed no infections and didn't appear to remove the virus when I ran a scan afterwards. I already had Malwarebytes installed and this didn't return any viruses when I scanned.
After that I took my PC to a repair guy (friend of friend) and they ran some checks and could not find the virus although Avira still said it was still there. After a few days they said that Malwarebytes had picked it up and it has been cleaned and is running fine. I should mention that they then told me that they had never heard of Sinowal before!
When I started using my PC again, the freezing is still happening. They have uninstalled Avira and replaced it with Symantec End Point Protection.
I have run both Malwarebytes scans and Symantec Scan and it is reporting that no infections etc have been found but the insistent freezing makes me believe otherwise.

A friend told me to run ComboFix (I followed the instructions from this website) and Hijack This and give him the logs which I did and to change all my passwords which I also did, however he is unable to assist now due to some domestic problems and I desperately need to work from my PC! :thumbsup:

Not really sure where to go from here, and I am seriously reluctant to go back to the initial repair guy seeing as he had not even heard of this virus. Also, I am not sure if I should uninstall the Symantec and reinstall Avira to see if that shows the virus?

I hope this all makes sense. Any help would be greatly appreciated!

My PC is Windows XP Pro v.2002 SP3
I have backed up my data to an external drive.
I no longer have the Windows XP installation CD

Many thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 10:05 AM

Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 10:52 AM

Hi,
Please see log below.

------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8829eea0
NDIS: Intel® PRO/1000 CT Network Connection -> SendCompleteHandler -> 0x882db190
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

-----------
Thanks!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 11:04 AM

First, open Windows Explorer and rename the C:\mbr.log to C:\mbr.old

Then go to Posted Image > Run..., and in the open box and type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

-- If you're not sure how to use the command prompt, please refer to this guide: Introduction to the Command Prompt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 11:33 AM

The log file was on my desktop and when using windows explorer, it didn't show up in a way to rename the extension so i renamed the text file to 'mbrold'.

I did as requested by running the cmd.exe and following the instructions provided and I got the following message:

'mbr.exe' is not recognized as an internal or external command, operable program or batch file


many thanks for your assistance

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 12:11 PM

The log file was on my desktop and when using windows explorer, it didn't show
up in a way to rename the extension so i renamed the text file to 'mbrold'

That's ok. If a file extension does not show, that means you need to Reconfigure Windows to show hidden file extensions for known file types.

'mbr.exe' is not recognized as an internal or external command, operable program or batch file

The command should be mbr.exe" -f, not just mbr.exe and it should only be used if the mbr.exe file is on your desktop...If not, the command will not work.

If you continue having problems trying to execute it, do this instead.

Go to Posted Image > Run..., and in the open box, copy/paste: "%userprofile%\desktop\mbr.exe" -f
press Ok.
A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

Edited by quietman7, 26 October 2009 - 12:13 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 12:47 PM

The exe is on my desktop and I typed in exactly as you instructed: 'mbr.exe -f' and pressed enter but the message returned is still the same.
So I did the alternative option and the log is below.

--------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x88214ea0
NDIS: Intel® PRO/1000 CT Network Connection -> SendCompleteHandler -> 0x88251190
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !
---------------

Thanks

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 01:08 PM

Restart the computer <- Important! (otherwise the next report may falsely show the infection as still present)
Then run mbr.exe the same way you did the first time.
It will create a new mbr.log.
Copy and paste the results in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 01:12 PM

Do this first before doing the above.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 01:21 PM

I am currently using another PC so I just ran the mbr again before seeing your last reply - shall I do this TFC now?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 01:30 PM

shall I do this TFC now?

yes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 01:41 PM

ok so I downloaded and ran the TFC and rebooted when prompted. I then ran the mbr.exe as I did the first time and the log is below.

------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !

------------------------

Thanks again

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 01:44 PM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 in_need_of_help

in_need_of_help
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 October 2009 - 02:31 PM

I'm doing this now. Thanks

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 PM

Posted 26 October 2009 - 02:38 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users