Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Win32.Sinowal.mwh


  • Please log in to reply
7 replies to this topic

#1 Groffeaston

Groffeaston

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:01:25 AM

Posted 21 January 2011 - 08:42 PM

Hello everyone!

I just finished a "Quick Scan" with Emsisoft Anti-Malware and several things showed up, but the thing that got my attention was: Backdoor.Win32.Sinowal.mwh

I am not sure what to do about: Backdoor.Win32.Sinowal.mwh whether to "Quarantine it" or "Delete it"? I am including below the scan log for the Emsisoft Anti-malware scan that I just finished.


Emsisoft Anti-Malware - Version 5.1
Last update: 1/21/2011 7:39:38 PM

Scan settings:

Scan type: Quick Scan
Objects: Memory, Traces, Cookies
Scan archives: Off
Heuristics: Off
ADS Scan: On

Scan start: 1/21/2011 7:39:58 PM

[3536] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe detected: Backdoor.Win32.Sinowal.mwh!A2
c:\program files\search toolbar detected: Trace.Directory.HuntBar.Stoolbar!A2
c:\program files\Ascentive\Performance Center detected: Trace.Directory.Spyware Striker Pro!A2
c:\program files\Viewpoint\Viewpoint Toolbar detected: Trace.Directory.Viewpoint Media Toolbar!A2
Key: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Cache detected: Trace.Registry.Couponbar!A2
N/A detected: Trace.Registry.CouponBar!A2
Key: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar\tb_items detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar\tb_items --> tbs_space_010261 detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> AutoComplete detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> autoUpdateMsg detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> closeAllWindowsForUpdate detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> connectionError detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> corruptedMsg detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> CountOS detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> CurrentFont detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> CurrentLayout detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> DescriptiveText detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> EditWidthcombo1 detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> firstURL detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> FontSize detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> KeepHistory detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> lastVersionMsg detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> m_bWorking detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> OldOS detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> OpenNew detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> RunSearchAutomatically detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> RunSearchDragAutomatically detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> Scope detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> serverpath detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> ShowFindButtons detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> ShowHighlightButton detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> TBBreak detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> TBPos detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> TBShow detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> TBWidth detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> toolbar_id detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> toolbar_version detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> ToolbarIsFailed detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> uninstallMsg detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> UpdateAutomatically detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> updateMsg detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> updateUrl detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> updateXML detected: Trace.Registry.CouponBar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> urlAfterUninstall detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> urlAfterUpdate detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\TTB000001\Toolbar --> versionError detected: Trace.Registry.CouponBar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTB000001.TTB000001Toolbar --> DisplayName detected: Trace.Registry.Couponbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTB000001.TTB000001Toolbar --> UninstallString detected: Trace.Registry.Couponbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Sony Pictures Games\JEOPARDY! --> PID detected: Trace.Registry.JEOPARDY!!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@2o7[1].txt detected: Trace.TrackingCookie.2o7!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@bs.serving-sys[1].txt detected: Trace.TrackingCookie.bs.serving-sys!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@com[2].txt detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@pointroll[1].txt detected: Trace.TrackingCookie.pointroll!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@pro-market[1].txt detected: Trace.TrackingCookie.pro-market!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@questionmarket[1].txt detected: Trace.TrackingCookie.questionmarket!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@ru4[1].txt detected: Trace.TrackingCookie.ru4!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@serving-sys[2].txt detected: Trace.TrackingCookie.serving-sys!A2
C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Cookies\matthew@specificclick[2].txt detected: Trace.TrackingCookie.specificclick!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292592231140000 detected: Trace.TrackingCookie.media!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292592231143000 detected: Trace.TrackingCookie.media!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292592232356000 detected: Trace.TrackingCookie.www.burstbeacon.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292592930393000 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292592930393001 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595376154000 detected: Trace.TrackingCookie.tribalfusion.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595393681000 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595393682000 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595396230000 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595396231000 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595412566002 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595414510001 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292595422322000 detected: Trace.TrackingCookie.myspace.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292607388356002 detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292634019710002 detected: Trace.TrackingCookie.citi.bridgetrack!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292634019710004 detected: Trace.TrackingCookie.citi.bridgetrack!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292644727496000 detected: Trace.TrackingCookie.eas.apm.emediate.eu!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292717098329000 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292717098329001 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292717098329002 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292733562179000 detected: Trace.TrackingCookie.thefreedictionary.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292733569965000 detected: Trace.TrackingCookie.thefreedictionary.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292737952794001 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292737952801000 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292737953419000 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738041264003 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738041265002 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738041266000 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738054380002 detected: Trace.TrackingCookie.aol.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738059597001 detected: Trace.TrackingCookie.ar.atwola.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738103769000 detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738103770000 detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292738103770001 detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292739769590000 detected: Trace.TrackingCookie.m.webtrends.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292769853008000 detected: Trace.TrackingCookie.d1.openx.org!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292879108394000 detected: Trace.TrackingCookie.e.nvero.net!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1292997362984000 detected: Trace.TrackingCookie.www.adfusion.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082848644000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082849637000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082849778000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082849779001 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082850229000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082850611000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082851000000 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082973606002 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293082973606003 detected: Trace.TrackingCookie.go.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293742032295000 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293742032296000 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293742032296001 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293756859899000 detected: Trace.TrackingCookie.ads.bleepingcomputer.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293778129370000 detected: Trace.TrackingCookie.about.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293778133451000 detected: Trace.TrackingCookie.about.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293778133467000 detected: Trace.TrackingCookie.about.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293781471103000 detected: Trace.TrackingCookie.reuters.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1293851621325000 detected: Trace.TrackingCookie.e.nvero.net!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294177763327000 detected: Trace.TrackingCookie.www.clickmanage.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294177763328000 detected: Trace.TrackingCookie.www.clickmanage.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294467822024000 detected: Trace.TrackingCookie.rotator.adjuggler.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294467822025000 detected: Trace.TrackingCookie.rotator.adjuggler.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294593840073000 detected: Trace.TrackingCookie.adsremote!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294884737966000 detected: Trace.TrackingCookie.roia.biz!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294884737966001 detected: Trace.TrackingCookie.roia.biz!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294891848123000 detected: Trace.TrackingCookie.ads.bridgetrack.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294891848123001 detected: Trace.TrackingCookie.ads.bridgetrack.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294891848123002 detected: Trace.TrackingCookie.ads.bridgetrack.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1294952542962000 detected: Trace.TrackingCookie.www.googleadservices.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295412717869000 detected: Trace.TrackingCookie.ads.pubmatic.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295490953852000 detected: Trace.TrackingCookie.ads.cnn.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295494176999000 detected: Trace.TrackingCookie.about.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295497584545002 detected: Trace.TrackingCookie.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295583625378001 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295583625379000 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295583625379001 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\lu0si6w3.default\cookies.sqlite:1295583625379002 detected: Trace.TrackingCookie.trafficmp.com!A2

Scanned

Files: 507
Traces: 624765
Cookies: 3029
Processes: 72

Found

Files: 0
Traces: 50
Cookies: 85
Processes: 1
Registry keys: 0

Scan end: 1/21/2011 7:42:37 PM
Scan time: 0:02:39



I am also going to run "Quick-scans" with my other Anti-Malware programs and see what they come up with. I will include the logs from them in my next post.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 21 January 2011 - 10:31 PM

If there were no Clean option then Quarantine it so it can no longer harm the PC. Rule of thumb.. Clean, Quarantine, last choice Delete

I also want you to know about this serious malware type.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by boopme, 21 January 2011 - 10:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:01:25 AM

Posted 05 February 2011 - 10:04 PM

Hello everyone,

Sorry I have not been on in a while. My back has been getting a little worse and the pain in the lower back, right butt cheek and down my right leg has been very bad lately, so I have had to limit my computer time.

I have a question about Backdoor.Win32.Sinowal.mwh.
According to the result of the scan it says:
Process: [2540] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe detected: Backdoor.Win32.Sinowal.mwh!A2

Now this is in the Yahoo! Search Protection, which I believe is an anti-malware program. My question is this: Is the Emsisoft Anti-Malware picking this Yahoo! Search Protection program up as a false positive, this Trojan actually exists in the Yahoo! Search Protection Program and is not supposed to be there, or This is part of the Yahoo! Search Protection Program and is for updating the program?

Any information on this?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 06 February 2011 - 04:44 PM

Ugghh!! sounds like Sciatica,hope you feel better soon.

his is possibly a False positive. We should double check it before we take action.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:01:25 AM

Posted 07 February 2011 - 03:18 PM

Hello everyone,

Well, the results were what I expected, A False Positive. But, I did get a surprise though in the results that is puzzling. The first time all of scanners that Jotti uses showed all clear. Then I ran it again just to sure. Here is the first Surprise; the one scanner that showed all clear then showed the Trojan program that I mentioned. I then went to virustotal and ran a scan. Here is the other Surprise; The same program that originally showed all clear on Jotti and then showed the Trojan on Jotti after the second scan, now showed all clear! :blink: :o :huh: And Of course Emsisoft showed the Trojan, but all of the 42 other scanners showed all clear!

The scanner Program that originally showed all clear and then showed the Trojan on Jotti, and then showed all clear on virustotal is: VBA32. I took screen shots of the Jotti scans and can send them. I did not take screen shots of the virustotal scan, I forgot.

I would have included to screen shots, but do not know how to include them on here.

Thanks for the help.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 07 February 2011 - 04:01 PM

Hello, as they almost all showed nothing it is afalse positive. Whatever the characteristic that ws flagged in the here and there was just the thorn the apps were tripping over. You are OK.
If needed in the future there is an "inserting an Image in a Post thread here.

New User Orientation
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:01:25 AM

Posted 08 February 2011 - 12:49 AM

Now I am going to report this False Positive to Emsisoft so they can get it straightened out. Thanks for all your help!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 08 February 2011 - 09:53 AM

Perfect..
Submitting suspected False Positives for analysis
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users