Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sinowal.F Trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 Eric Concannon

Eric Concannon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 15 December 2009 - 02:52 AM

I have tried numerous malware removal tools over the past few weeks and none have been able to remove this infection. It is discovered by most of the programs, and those that try to remove it (even in SafeMode) seem to work...until I reboot and start up XP normally. The most obvious presentation (consistent and persistent) is an "uninstall.exe" program that shows up in my startup menu. Otherwise, I have noticed no problems that I would attribute to this aside from consistent warnings from almost every anti-virus/anti-spyware program I've installed. The recommended logs follow...

DDS (Ver_09-12-01.01) - NTFSx86
Run by Licensed User at 23:28:58.40 on Mon 12/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.945 [GMT -8:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vVX6000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Licensed User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com
Trusted Zone: netflix.com
Trusted Zone: netlibrary.com
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - hxxp://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www.pc.ibm.com/egather/IbmEgath.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37944.4921990741
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\licens~1\applic~1\mozilla\firefox\profiles\7j13f310.default\
FF - prefs.js: browser.startup.homepage - hxxp://forecast.weather.gov/MapClick.php?CityName=Lafayette&state=CA&site=MTR&textField1=37.8858&textField2=-122.117&e=0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152]
S3 DUBE100;D-Link DUB-E100 USB 2.0 to Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2007-4-9 11935]

=============== Created Last 30 ================

2009-12-15 07:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-12-14 04:14:46 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-14 04:08:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-12-14 04:08:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-12-14 04:08:23 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-12-13 16:40:59 23392 ----a-w- c:\windows\system32\nscompat.tlb
2009-12-13 16:40:59 16832 ----a-w- c:\windows\system32\amcompat.tlb
2009-12-13 01:55:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-13 01:20:45 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-10 04:47:47 0 d-----w- c:\docume~1\licens~1\applic~1\Malwarebytes
2009-12-10 04:47:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 06:47:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
2009-12-08 06:46:55 0 d-----w- c:\program files\Radium Technologies

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-06-28 05:11:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062720080628\index.dat

============= FINISH: 23:29:49.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 26 December 2009 - 08:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 27 December 2009 - 12:29 AM

Thanks for the response mole. I understand the delay. The summary of what I've done is unchanged (copied below) and the logs are pasted or attached as requested.

I have tried numerous malware removal tools over the past few weeks and none have been able to remove this infection. It is discovered by most of the programs, and those that try to remove it (even in SafeMode) seem to work...until I reboot and start up XP normally. The most obvious presentation (consistent and persistent) is an "uninstall.exe" program that shows up in my startup menu. Otherwise, I have noticed no problems that I would attribute to this aside from consistent warnings from almost every anti-virus/anti-spyware program I've installed.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Licensed User at 20:55:47.56 on Sat 12/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.877 [GMT -8:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vVX6000.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exea
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Licensed User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/Signin?nextpage=http%3A%2F%2Fwww.netflix.com%2FMemberHome
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com
Trusted Zone: netflix.com
Trusted Zone: netlibrary.com
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - hxxp://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www.pc.ibm.com/egather/IbmEgath.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37944.4921990741
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\licens~1\applic~1\mozilla\firefox\profiles\7j13f310.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -

hxxp://forecast.weather.gov/MapClick.php?CityName=Lafayette&state=CA&site=MTR&textField1=37.8858&textField2=-122.117&e=0
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\licensed user\application data\move networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152]
S3 DUBE100;D-Link DUB-E100 USB 2.0 to Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2007-4-9 11935]

=============== Created Last 30 ================

2009-12-21 04:30:16 0 d-----w- c:\program files\iPod
2009-12-21 04:30:12 0 d-----w- c:\program files\iTunes
2009-12-21 04:30:12 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-19 18:46:08 0 d-----w- c:\program files\Microsoft
2009-12-19 18:45:48 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-15 07:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-12-14 04:14:46 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-14 04:08:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-12-14 04:08:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-12-14 04:08:23 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-12-13 16:40:59 23392 ----a-w- c:\windows\system32\nscompat.tlb
2009-12-13 16:40:59 16832 ----a-w- c:\windows\system32\amcompat.tlb
2009-12-13 01:55:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-13 01:20:45 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-10 04:47:47 0 d-----w- c:\docume~1\licens~1\applic~1\Malwarebytes
2009-12-10 04:47:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 06:47:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
2009-12-08 06:46:55 0 d-----w- c:\program files\Radium Technologies

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-06-28 05:11:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008062720080628\index.dat

============= FINISH: 20:56:48.14 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 27 December 2009 - 07:34 AM

We're dealing with Sinowal which is also called MBR and is a nasty rootkit which overwrites core system files.

We need to use Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 27 December 2009 - 01:33 PM

Bad news...the combofix software has locked up the computer in the boot process.

Details:

I downloaded and ran the program as suggested. I disabled the virus scanning software that is still on the computer (there have been several in the last few months, all of which were uninstalled, except one). I could not get the remaining one to stop running simply (I was impatient) so I just uninstalled it instead of stopping it. When the combofix software began to run, it told me that CA antivirus scanner was still running, however, this software was removed several weeks ago and I can find no evidence of it in the usual polaces on my computer (not in the uninstall control panel, not in start menu, not in the control panel itself). Since it was, to my knowledge gone and no longer running even though the combofix program was saying to stop it, I just let combofix run.

It seemed to work fine, told me I needed the recovery console, and it installed the console. Once the console was on board, combofix continued and found a rootkit, which it told me required restart to resolve. I okayed the restart, and now the computer hangs at one of the bios screens, never reaching windows startup. Specifically, the memory test runs, the drives are enabled and tested, the PCI devices are listed, then the bios says "Verifying DMI Pool Data..........", moves the cursor to the next line and everything stops with a flashing underline cursor. I'm not sure if the DMI pool process completes and then it hangs or if it hangs during the DMI pool process. The other notable problem is that my 3.5" floppy drive light is stuck on as the computer hangs up, and remains on now. If I reset the computer or turn it off and then on, the process still hangs in the same place.

Now what?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 27 December 2009 - 04:51 PM

Combofix hasn't caused this, it is the rootkit. We need to boot the system into the recovery console using your XP disk. If you don't have the disk then read the first part.


Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.

Now you have a disk (or using the XP disk in your case)...
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type and hit enter.

Type exit to exit and restart your PC.


Post back the result of this.
Posted Image
m0le is a proud member of UNITE

#7 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 27 December 2009 - 05:04 PM

Thanks for the quick reply.

All of this works except the bit where you say:

"Once in Recovery Console, please type and hit enter."

What am I supposed to type? Just hitting enter does nothing but bring up a new command prompt.

Cheers, Eric

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 27 December 2009 - 05:26 PM

"Once in Recovery Console, please type and hit enter."


That should read:

"Once in Recovery Console, please type fixmbr and hit enter."
Posted Image
m0le is a proud member of UNITE

#9 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 28 December 2009 - 10:54 PM

Okay, after using fixmbr in the recovery console, I can start up again properly.

Honestly, I made a huge mistake yesterday when in the recovery console: I inadvertently told it to reinstall windows XP from my CD....ugh! I couldn't stop it and it was a total hassle...it rolled me back to SP1. After this mess was all sorted out (and I aborted several attempts by combofix to continue is processes, which were restarting the computer constantly and forcing windows to restart its install...read endless loop), I was able to get into windows and reinstall myself all the way back to SP3 and upgrade several other programs that were buggered by the windows rollback.

Once all of that crap was done, I was able to re-run combofix and it produced the following:

ComboFix 09-12-27.04 - Licensed User 12/28/2009 19:34:16.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.972 [GMT -8:00]
Running from: c:\documents and settings\Licensed User\Desktop\Com.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-28 06:33 . 2009-12-28 06:33 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-28 06:14 . 2009-12-28 06:14 -------- d-----w- c:\windows\nview
2009-12-28 05:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-28 03:26 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-28 03:26 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-28 03:26 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-28 03:26 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-28 03:26 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-28 03:26 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-28 03:26 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-28 02:52 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-12-28 02:52 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-12-28 02:52 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-12-28 02:52 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-12-28 02:52 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-28 02:52 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-12-28 02:52 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-28 02:52 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-12-28 02:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-28 02:49 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-28 02:49 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-12-28 02:49 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-12-28 02:49 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-28 02:49 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-28 02:48 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-28 02:48 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-28 02:48 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-28 02:48 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-12-28 02:48 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-28 02:48 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-28 02:22 . 2009-07-31 18:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-12-28 02:22 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-12-28 01:47 . 2009-12-28 01:58 -------- d-----w- c:\windows\system32\wbem\Repository.001
2009-12-28 01:34 . 2004-08-02 22:20 4569 ------w- c:\windows\system32\secupd.dat
2009-12-28 00:52 . 2009-08-25 09:17 354816 ----a-w- c:\windows\system32\winhttp.dll
2009-12-28 00:52 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2009-12-28 00:22 . 2003-03-31 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2009-12-28 00:21 . 2008-04-14 00:09 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2009-12-28 00:20 . 2008-04-14 00:11 79360 ----a-w- c:\windows\system32\cnbjmon2.dll
2009-12-28 00:18 . 2003-03-31 12:00 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2009-12-28 00:18 . 2003-03-31 12:00 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2009-12-28 00:18 . 2003-03-31 12:00 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2009-12-28 00:14 . 2008-04-13 18:45 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-12-28 00:14 . 2001-08-17 22:03 4736 ----a-w- c:\windows\system32\drivers\usbd.sys
2009-12-28 00:14 . 2008-04-13 18:45 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-12-28 00:14 . 2008-04-13 18:45 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2009-12-28 00:13 . 2008-04-13 19:17 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2009-12-28 00:13 . 2008-04-13 18:45 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2009-12-28 00:13 . 2008-04-13 19:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2009-12-28 00:13 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2009-12-28 00:13 . 2008-04-13 18:45 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-12-28 00:13 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-12-28 00:13 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-12-28 00:01 . 2008-04-14 00:12 252928 ----a-w- c:\windows\system32\msoeacct.dll
2009-12-28 00:01 . 2008-04-14 00:12 105984 ----a-w- c:\windows\system32\msoert2.dll
2009-12-28 00:01 . 2008-04-11 19:04 691712 ----a-w- c:\windows\system32\inetcomm.dll
2009-12-28 00:01 . 2008-04-14 00:12 12288 ----a-w- c:\windows\system32\mstinit.exe
2009-12-28 00:01 . 2008-04-14 00:12 192512 ----a-w- c:\windows\system32\schedsvc.dll
2009-12-28 00:01 . 2008-04-14 00:12 274944 ----a-w- c:\windows\system32\mstask.dll
2009-12-27 23:59 . 2008-04-13 18:32 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2009-12-27 23:13 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-27 22:59 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-12-27 22:59 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-12-27 22:58 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys
2009-12-27 22:58 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-12-27 22:56 . 2008-04-14 00:13 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2009-12-27 22:54 . 2008-04-14 00:12 146432 ----a-w- c:\windows\system\winspool.drv
2009-12-27 22:54 . 2008-04-13 18:54 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2009-12-27 22:54 . 2003-03-31 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-12-27 22:54 . 2003-03-31 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-12-27 22:54 . 2003-03-31 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-12-27 22:54 . 2003-03-31 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-12-27 22:54 . 2008-04-14 00:12 74752 ----a-w- c:\windows\system32\storprop.dll
2009-12-25 19:02 . 2009-12-25 19:02 -------- d-----w- c:\documents and settings\Licensed User\Local Settings\Application Data\Move Networks
2009-12-25 19:01 . 2009-12-25 19:01 144160 ----a-w- c:\documents and settings\Licensed User\Application Data\Move Networks\uninstall.exe
2009-12-22 04:32 . 2009-12-22 04:32 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-12-22 04:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Licensed User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-22 04:30 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-22 04:30 . 2009-12-22 04:30 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-22 04:28 . 2009-12-22 04:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-21 04:30 . 2009-12-21 04:30 -------- d-----w- c:\program files\iPod
2009-12-21 04:30 . 2009-12-21 04:31 -------- d-----w- c:\program files\iTunes
2009-12-21 04:30 . 2009-12-21 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-21 04:28 . 2009-12-21 04:29 -------- d-----w- c:\program files\QuickTime
2009-12-19 18:46 . 2009-12-19 18:46 -------- d-----w- c:\program files\Microsoft
2009-12-19 18:45 . 2009-12-19 18:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-19 18:45 . 2009-12-19 18:46 -------- d-----w- c:\program files\Windows Live
2009-12-17 01:15 . 2009-12-17 01:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-12-15 07:58 . 2009-12-15 07:58 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-15 07:09 . 2009-12-15 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-12-14 04:14 . 2009-12-14 04:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-14 04:08 . 2009-12-14 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-14 04:08 . 2009-12-14 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-14 04:08 . 2009-12-14 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-13 18:49 . 2009-12-13 18:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-13 16:07 . 2009-12-13 16:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-12-13 15:44 . 2009-12-13 15:44 23568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 04:44 . 2009-12-13 16:51 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-13 01:55 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-10 04:47 . 2009-12-10 04:47 -------- d-----w- c:\documents and settings\Licensed User\Application Data\Malwarebytes
2009-12-10 04:47 . 2009-12-10 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-08 06:47 . 2009-12-08 06:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}
2009-12-08 06:47 . 2009-02-20 23:29 2373064 -c--a-w- c:\documents and settings\All Users\Application Data\{EFBAD1D6-DB32-4E45-ACA1-FB05458C6D20}\LCSETUP20.exe
2009-12-08 06:46 . 2009-12-08 06:46 -------- d-----w- c:\program files\Radium Technologies
2009-12-07 01:22 . 2009-12-25 19:01 5603776 ----a-w- c:\documents and settings\Licensed User\Application Data\Move Networks\plugins\npqmp071705000014.dll
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\Licensed User\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 02:18 . 2009-12-04 02:18 -------- d-----w- c:\documents and settings\Licensed User\Local Settings\Application Data\GIPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 06:42 . 2004-10-28 03:53 -------- d-----w- c:\documents and settings\Licensed User\Application Data\Apple Computer
2009-12-28 06:39 . 2009-09-07 16:34 1 ----a-w- c:\documents and settings\Licensed User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-28 06:33 . 2004-02-26 04:37 23568 ----a-w- c:\documents and settings\Licensed User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 05:49 . 2007-05-29 04:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-28 00:18 . 2003-11-19 19:17 23332 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-26 00:42 . 2009-11-07 23:11 -------- d-----w- c:\documents and settings\Licensed User\Application Data\Move Networks
2009-12-22 22:16 . 2009-09-07 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-22 04:31 . 2004-01-27 07:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 04:30 . 2008-11-25 04:31 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 04:28 . 2004-10-28 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-13 16:40 . 2008-06-15 18:06 -------- d-----w- c:\program files\Google
2009-12-13 16:28 . 2008-04-13 00:41 -------- d-----w- c:\program files\Common Files\Real
2009-12-13 16:25 . 2008-11-05 18:06 -------- d-----w- c:\program files\Common Files\GTK
2009-12-13 15:38 . 2009-09-06 02:25 -------- d-----w- c:\documents and settings\Licensed User\Application Data\CallingID
2009-11-22 21:00 . 2009-11-22 21:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-21 15:51 . 2003-03-31 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-07 22:53 . 2004-08-09 07:05 -------- d-----w- c:\program files\Java
2009-11-07 22:50 . 2009-11-07 22:50 152576 ----a-w- c:\documents and settings\Licensed User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-30 19:41 . 2008-11-05 18:08 -------- d-----w- c:\documents and settings\Licensed User\Application Data\.purple
2009-10-29 07:45 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2003-03-31 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-03-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17 . 2008-12-20 15:47 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 86016]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"VX6000"="c:\windows\vVX6000.exe" [2009-06-27 759296]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/2006 3:56 PM 2069504]
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};c:\windows\System32\svchost.exe -k netsvcs [3/31/2003 4:00 AM 14336]
S3 DUBE100;D-Link DUB-E100 USB 2.0 to Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [4/9/2007 10:42 AM 11935]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/Signin?nextpage=http%3A%2F%2Fwww.netflix.com%2FMemberHome
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: microsoft.com
Trusted Zone: netflix.com
Trusted Zone: netlibrary.com
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Licensed User\Application Data\Mozilla\Firefox\Profiles\7j13f310.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forecast.weather.gov/MapClick.php?CityName=Lafayette&state=CA&site=MTR&textField1=37.8858&textField2=-122.117&e=0
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Licensed User\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 19:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-28 19:43:34
ComboFix-quarantined-files.txt 2009-12-29 03:43

Pre-Run: 22,687,236,096 bytes free
Post-Run: 22,841,868,288 bytes free

- - End Of File - - 6408A99B8E0D1EBC0FD214146721531B

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 29 December 2009 - 12:29 AM

The MBR has been fixed and the reinstall - though not what we were aiming for - has cleaned the system up. As a result Combofix is reporting no problems.

The system is now clean.

Are there any other symptoms to report after the reinstall and MBR fix?
Posted Image
m0le is a proud member of UNITE

#11 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 29 December 2009 - 12:47 AM

Not at the moment, but I'll keep the AV program running and see if anything crops up...it has been able to reliably find Sinowal, just not remove it.

Thanks for your help. I'll be sure to post a message within the week if nothing comes up to confirm that everything is settled.

Cheers, Eric

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 06 January 2010 - 04:26 PM

I take it that everything's okay, Eric.
Posted Image
m0le is a proud member of UNITE

#13 Eric Concannon

Eric Concannon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 06 January 2010 - 04:35 PM

Yes, all is working normally with no trace of the bugger. Has a week already gone by? Thanks for the guidance!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 06 January 2010 - 04:50 PM

No problem, good to hear. I will close the topic then. :(

---------------------------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users