Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor.Win32.Sinowal.fka


  • This topic is locked This topic is locked
2 replies to this topic

#1 dpov

dpov

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 09 December 2009 - 03:38 PM

I am running Kaspersky AV 2010. Every time I boot up, Kaspersky finds and "disinfects" Backdoor.Win32.Sinowal.fka from DEVICEHARDDISK1DR1. I have attempted booting into the Recovery Console and using Fixmbr on that disk. I have also tried various tools to try to "clean" the virus. The latest tool I tried was Combofix, which I read about on another forum. However, that did not work. I can post the resulting Combofix log here if requested. Any assistance is appreciated.

Thanks

Sorry, forgot to post the DDS, which follows. The Attach.txt and Ark.txt are attached as instructed:


DDS (Ver_09-12-01.01) - NTFSx86
Run by dave at 15:58:57.78 on Wed 12/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.810 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSCTHELPER.EXE
C:WINDOWSsystem32CTXFIHLP.EXE
svchost.exe
C:Program FilesRay AdamsATI Tray Toolsatitray.exe
C:WINDOWSSYSTEM32CTXFISPI.EXE
C:Program FilesUPHCleanuphclean.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
Y:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 2010klwtblfs.exe
C:Documents and SettingsdaveDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:program fileskaspersky labkaspersky anti-virus 2010ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
uRun: [AtiTrayTools] "c:program filesray adamsati tray toolsatitray.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AVP] "c:program fileskaspersky labkaspersky anti-virus 2010avp.exe"
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
IE: E&xport to Microsoft Excel - y:progra~1micros~1office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - y:progra~1micros~1office11REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257182675031
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257208955290
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:windowssystem32klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1daveapplic~1mozillafirefoxprofiles9jwml554.default
FF - prefs.js: browser.startup.homepage - google.com
FF - component: y:program filesmozilla firefoxextensionslinkfilter@kaspersky.rucomponentsKavLinkFilter.dll
FF - plugin: y:program filesadobereader 9.0readerbrowsernppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows

presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
y:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:windowssystem32driverskl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [2008-12-15 33808]
R1 atitray;atitray;c:program filesray adamsati tray toolsatitray.sys [2007-5-22 18088]
R1 KLIF;Kaspersky Lab Driver;c:windowssystem32driversklif.sys [2009-11-2 296976]
R2 AVP;Kaspersky Anti-Virus;c:program fileskaspersky labkaspersky anti-virus 2010avp.exe [2009-7-3 303376]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [2009-5-16 19472]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:windowssystem32driverssis163u.sys [2009-11-2 215552]
S3 SISNPF;SIS Netgroup Packet Filter;c:windowssystem32driverssisnpf.sys [2009-11-2 31872]

=============== Created Last 30 ================

2009-12-09 20:47:06 0 d-----w- c:program filesTrend Micro
2009-12-09 20:11:29 0 d-sha-r- C:cmdcons
2009-12-09 20:10:49 98816 ----a-w- c:windowssed.exe
2009-12-09 20:10:49 261632 ----a-w- c:windowsPEV.exe
2009-12-09 20:10:49 161792 ----a-w- c:windowsSWREG.exe
2009-12-09 18:40:59 0 d-----w- c:docume~1daveapplic~1Malwarebytes
2009-12-09 18:40:54 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-09 18:40:52 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-09 18:40:18 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-09 18:40:18 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-09 18:25:49 77312 ----a-w- c:windowsmbr.exe
2009-12-09 16:01:21 0 d-----w- C:5e198bb1f3ea295b4dcfba00529b3f
2009-12-09 15:53:09 7984 ----a-w- c:windowsMbrFix.htm
2009-12-09 15:33:44 65024 ----a-w- c:windowsMbrFix.exe
2009-12-09 14:42:42 7984 ----a-w- C:MbrFix.htm
2009-12-09 14:42:32 65024 ----a-w- C:MbrFix.exe
2009-12-08 23:09:39 23 ----a-w- c:windowsBlendSettings.ini
2009-12-08 14:41:21 125184 ------w- c:windowssystem32driversimagesrv.sys
2009-12-08 14:41:19 5504 ------w- c:windowssystem32driversimagedrv.sys
2009-12-08 14:41:05 106496 ----a-w- c:windowssystem32TwnLib20.dll
2009-12-08 14:41:04 476320 ------w- c:windowssystem32ImagXpr7.dll
2009-12-08 14:41:04 471040 ------w- c:windowssystem32ImagXRA7.dll
2009-12-08 14:41:04 262144 ------w- c:windowssystem32ImagXR7.dll
2009-12-08 14:41:04 1568768 ------w- c:windowssystem32ImagX7.dll
2009-12-08 14:41:04 155648 ----a-w- c:windowssystem32NeroCheck.exe
2009-11-30 23:11:18 0 d-----w- c:docume~1daveapplic~1atitray
2009-11-30 23:10:39 0 d-----w- c:program filesRay Adams
2009-11-30 23:05:47 593920 ------w- c:windowssystem32ati2sgag.exe
2009-11-30 22:55:56 10 ----a-w- c:windowsWININIT.INI
2009-11-28 18:18:03 248 ----a-w- c:windowsRomeTW.ini
2009-11-24 18:05:56 233472 ----a-w- c:windowssystem32lame_enc.dll

==================== Find3M ====================

2009-11-02 22:48:46 108059 ----a-w- c:windowssystem32driversklin.dat
2009-11-02 22:48:45 95259 ----a-w- c:windowssystem32driversklick.dat
2009-11-02 22:44:19 604140 --sha-w- c:windowssystem32driversISwift3.dat
2009-11-02 16:41:36 21640 ----a-w- c:windowssystem32emptyregdb.dat
2009-09-30 02:20:58 442368 ----a-w- c:windowssystem32ATIDEMGX.dll
2009-09-30 02:19:56 325120 ------w- c:windowssystem32ati2dvag.dll
2009-09-30 02:10:52 204800 ----a-w- c:windowssystem32atipdlxx.dll
2009-09-30 02:10:36 155648 ----a-w- c:windowssystem32Oemdspif.dll
2009-09-30 02:10:24 26112 ----a-w- c:windowssystem32Ati2mdxx.exe
2009-09-30 02:10:16 43520 ----a-w- c:windowssystem32ati2edxx.dll
2009-09-30 02:10:02 155648 ----a-w- c:windowssystem32ati2evxx.dll
2009-09-30 02:08:50 602112 ----a-w- c:windowssystem32ati2evxx.exe
2009-09-30 02:08:48 307200 ----a-w- c:windowssystem32atiiiexx.dll
2009-09-30 02:07:30 53248 ----a-w- c:windowssystem32ATIDDC.DLL
2009-09-30 02:07:08 11845632 ----a-w- c:windowssystem32atioglxx.dll
2009-09-30 02:00:06 3818272 ------w- c:windowssystem32ati3duag.dll
2009-09-30 01:47:22 2670592 ------w- c:windowssystem32ativvaxx.dll
2009-09-30 01:46:56 887724 ----a-w- c:windowssystem32ativva6x.dat
2009-09-30 01:46:56 3107788 ----a-w- c:windowssystem32ativva5x.dat
2009-09-30 01:34:06 49664 ----a-w- c:windowssystem32amdpcom32.dll
2009-09-30 01:30:32 475136 ----a-w- c:windowssystem32atikvmag.dll
2009-09-30 01:28:54 126976 ----a-w- c:windowssystem32atiadlxx.dll
2009-09-30 01:28:36 17408 ----a-w- c:windowssystem32atitvo32.dll
2009-09-30 01:27:54 45056 ----a-w- c:windowssystem32aticalrt.dll
2009-09-30 01:27:42 45056 ----a-w- c:windowssystem32aticalcl.dll
2009-09-30 01:26:52 290816 ----a-w- c:windowssystem32atiok3x2.dll
2009-09-30 01:26:04 3227648 ----a-w- c:windowssystem32aticaldd.dll
2009-09-30 01:22:42 626688 ------w- c:windowssystem32ati2cqag.dll
2009-09-25 05:37:11 667136 ------w- c:windowssystem32wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:windowssystem32ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll

============= FINISH: 15:59:22.48 ===============

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 09 December 2009 - 10:53 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 21 December 2009 - 10:29 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 26 December 2009 - 09:36 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users