GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Help removing BOO/Sinowal.E

View previous topic View next topic Go down

Help removing BOO/Sinowal.E

Post by dhawk on Thu Jul 09, 2009 4:53 am

I contracted this virus a few hours ago according to Avira, and after several terrible attempts at squashing out viruses like this one appears to be, I figured it'd be best if I got some help.

Here is my first HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:18 PM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\CyberLink\PCM4Everio\EverioService.exe
E:\WINDOWS\system32\WTClient.exe
E:\Program Files\Zune\ZuneLauncher.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\Program Files\CyberLink\Shared files\RichVideo.exe
E:\WINDOWS\system32\svchost.exe
E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\WINDOWS\System32\Drivers\WTSRV.EXE
e:\WINDOWS\system32\ZuneBusEnum.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\doublehawk\Desktop\winlogon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "E:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [EverioService] "E:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [Zune Launcher] "e:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - E:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - E:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 5731 bytes

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Thu Jul 09, 2009 1:36 pm

Hello.
Do you have the Avira log?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Fri Jul 10, 2009 4:54 am

Just ran a new scan with Avira.


Avira AntiVir Personal
Report file date: Thursday, July 09, 2009 20:12

Scanning for 1488682 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MATHEW

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 6/10/2009 03:19:07
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 03:07:45
ANTIVIR2.VDF : 7.1.4.198 778752 Bytes 7/8/2009 03:37:27
ANTIVIR3.VDF : 7.1.4.205 145920 Bytes 7/8/2009 03:37:28
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/1/2009 02:11:57
AEscript.DLL : 8.1.2.13 426362 Bytes 7/3/2009 09:07:57
AESCN.DLL : 8.1.2.3 127347 Bytes 5/16/2009 05:23:54
AERDL.DLL : 8.1.2.2 438642 Bytes 7/3/2009 09:07:57
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/28/2009 06:41:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/18/2009 02:54:58
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 6/27/2009 06:03:06
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/13/2009 00:26:08
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/3/2009 09:07:56
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/28/2009 06:41:19
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 03:19:07
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: e:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: E:, M:, Z:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+SPR,

Start of the scan: Thursday, July 09, 2009 20:12

Starting search for hidden objects.
'72034' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'ZuneLauncher.exe' - '1' Module(s) have been scanned
Scan process 'WTClient.exe' - '1' Module(s) have been scanned
Scan process 'EverioService.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ZuneBusEnum.exe' - '1' Module(s) have been scanned
Scan process 'WTSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[NOTE] The boot sector was not written!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/Sinowal.E boot sector virus
[NOTE] The boot sector was not written!
Boot sector 'M:\'
[INFO] No virus was found!
Boot sector 'Z:\'
[INFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'E:\'
E:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'M:\'

Begin scan in 'Z:\'


End of the scan: Thursday, July 09, 2009 21:42
Used time: 1:29:49 Hour(s)

The scan has been done completely.

14301 Scanned directories
498974 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
498973 Files not concerned
3420 Archives were scanned
1 Warnings
3 Notes
72034 Objects were scanned with rootkit scan
0 Hidden objects were found

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Fri Jul 10, 2009 10:29 am

Heh, MBR infection.

Please download [You must be registered and logged in to see this link.] to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Sat Jul 11, 2009 2:02 am

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x893bb250
NDIS: NVIDIA nForce Networking Controller #2 -> SendCompleteHandler -> 0x893f4f30
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

(I'm guessing that message at the end is a good thing?)

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Sat Jul 11, 2009 4:54 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select NO



  • Your Desktop should go back to normal now.

Now we can access the recovery console.

Reboot normally.
You will notice an extra menu when booting that gives you two options.

1. Operating system (XP)
2. Recovery Console

It is automatically set to boot the OS, and only shows this screen for 2 seconds, so you'll need to be quick and press the DOWNWARDS arrow key when you see this screen.

When you boot to the Recovery Console, it's just a blue background with a command prompt, so in the console, type in:

fixmbr

Hit enter. It will now fix the mbr and replace the current with a copy, allow it do run without interference and it will reboot again on it's own.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Sun Jul 12, 2009 7:38 pm

When I try to select the Recovery Console, this happens:

"Windows could not start because of a computer disk hardware
configuration problem.
Could not read from the selected boot disk. Check boot path
and disk hardware.
Please check the Windows documentation about hardware disk
configuration and your hardware reference manuals for
additional information."

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Sun Jul 12, 2009 9:05 pm

Hello.
Can you boot normally.

Try doing a whole Combofix run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Sun Jul 12, 2009 11:16 pm

I booted normally and ran Combofix again. It did not prompt me to download the Recovery Console again. Once Combofix was finished for the second time I restarted the computer and had the same problem. Side note: I'm pretty sure that the virus is doing its best to block Combofix. The first time I ran it I had to right click->Save as under a different name. After it did its scan the .exe was replaced with an icon for Internet Explorer. The second time I downloaded it on my laptop to a flash drive, renamed it, and then used it off of the flash drive on the infected computer. I don't know if this will help, but here is the log from the second time I ran Combofix.

ComboFix 09-07-12.03 - doublehawk 07/12/2009 15:46.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2269 [GMT -7:00]
Running from: C:\heyo.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-12 19:24 . 2009-07-12 19:31 -------- d-----w- E:\12345
2009-07-10 03:31 . 2009-07-10 03:31 -------- d-----w- e:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-07-09 04:08 . 2009-07-09 04:08 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-09 04:08 . 2009-03-12 08:17 2902048 -c--a-w- e:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-09 04:08 . 2009-07-09 04:12 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft
2009-07-09 04:08 . 2009-07-09 04:08 -------- d-----w- e:\program files\Lavasoft
2009-07-09 03:34 . 2009-07-09 03:34 -------- d-----w- e:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-07-08 04:12 . 2009-07-08 04:12 3638 ----a-r- e:\documents and settings\doublehawk\Application Data\Microsoft\Installer\{6B364A96-9020-4842-98EE-AD1B232AF646}\_69525f90.exe
2009-07-08 04:12 . 2009-07-08 04:12 3638 ----a-r- e:\documents and settings\doublehawk\Application Data\Microsoft\Installer\{6B364A96-9020-4842-98EE-AD1B232AF646}\_2cd672ae.exe
2009-07-08 04:12 . 2009-07-08 04:12 3638 ----a-r- e:\documents and settings\doublehawk\Application Data\Microsoft\Installer\{6B364A96-9020-4842-98EE-AD1B232AF646}\_294823.exe
2009-07-08 04:12 . 2009-07-08 04:12 3638 ----a-r- e:\documents and settings\doublehawk\Application Data\Microsoft\Installer\{6B364A96-9020-4842-98EE-AD1B232AF646}\_18be6784.exe
2009-07-08 04:12 . 2009-07-08 04:12 1078 ----a-r- e:\documents and settings\doublehawk\Application Data\Microsoft\Installer\{6B364A96-9020-4842-98EE-AD1B232AF646}\_4ae13d6c.exe
2009-07-08 04:12 . 2009-07-08 04:12 -------- d-----w- e:\program files\DigiPen
2009-07-08 04:11 . 2009-07-08 04:11 -------- d-----w- E:\Borland
2009-07-01 18:42 . 2009-07-01 18:42 683801 ----a-w- e:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-07-01 04:37 . 2009-07-01 18:42 185 ----a-w- e:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-07-01 04:37 . 2009-07-01 04:37 683801 ----a-w- e:\documents and settings\All Users\Application Data\Last.fm\Client\UninstFoo3\unins000.exe
2009-07-01 04:37 . 2009-07-01 04:37 -------- d-----w- e:\documents and settings\All Users\Application Data\Last.fm
2009-07-01 04:36 . 2009-07-08 05:33 -------- d-----w- e:\documents and settings\doublehawk\Local Settings\Application Data\Last.fm
2009-07-01 04:36 . 2009-07-01 04:36 -------- d-----w- e:\program files\Last.fm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 04:06 . 2009-01-28 03:46 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-07-08 05:39 . 2008-07-21 02:22 -------- d-----w- e:\documents and settings\doublehawk\Application Data\foobar2000
2009-07-04 10:33 . 2008-07-21 02:15 -------- d-----w- e:\program files\Trillian
2009-06-30 05:05 . 2009-02-24 05:57 -------- d-----w- e:\documents and settings\doublehawk\Application Data\Ventrilo
2009-06-16 03:20 . 2008-07-21 08:12 -------- d-----w- e:\program files\Paint.NET
2009-06-10 22:14 . 2009-06-10 22:14 -------- d-----w- e:\program files\Microsoft XNA
2009-06-09 07:40 . 2008-12-24 04:28 1 ----a-w- e:\documents and settings\doublehawk\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-08 01:03 . 2009-04-04 08:33 -------- d-----w- e:\documents and settings\doublehawk\Application Data\Bioshock
2009-06-07 21:36 . 2008-07-21 02:22 -------- d-----w- e:\program files\foobar2000
2009-06-04 02:54 . 2009-06-04 02:54 -------- d-----w- e:\documents and settings\doublehawk\Application Data\Move Networks
2009-06-02 04:58 . 2008-07-21 08:11 20936 ----a-w- e:\documents and settings\doublehawk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 17:57 . 2008-11-30 09:47 38 ----a-w- e:\windows\popcinfot.dat
2009-05-18 03:49 . 2009-05-18 03:49 -------- d-----w- e:\program files\Google
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- e:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- e:\windows\system32\rpcrt4.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- e:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- e:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-08 01:28 . 2007-11-08 01:28 22016 e:\windows\Installer\aaef6.msp
+ 2007-11-08 01:32 . 2007-11-08 01:32 74240 e:\windows\Installer\aaef2.msp
+ 2007-11-08 01:21 . 2007-11-08 01:21 24576 e:\windows\Installer\aaeef.msp
+ 2008-07-21 03:38 . 2008-07-21 03:38 86528 e:\windows\Installer\9b30b.msi
+ 2009-01-04 21:37 . 2009-01-04 21:37 24576 e:\windows\Installer\811cd.msi
+ 2009-01-04 08:52 . 2009-01-04 08:52 23552 e:\windows\Installer\3c2712.msi
+ 2009-01-04 08:51 . 2009-01-04 08:51 26112 e:\windows\Installer\3c26f7.msi
+ 2008-12-10 08:27 . 2008-12-10 08:27 29696 e:\windows\Installer\174a29.msi
+ 2008-12-10 08:27 . 2008-12-10 08:27 29184 e:\windows\Installer\174a23.msi
+ 2008-12-20 01:05 . 2008-12-20 01:05 51712 e:\windows\Installer\15c24d6.msi
+ 2008-12-05 06:40 . 2007-04-03 07:04 366080 e:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-12-05 06:40 . 2007-04-03 07:04 863232 e:\windows\ServicePackFiles\i386\digopt.msi
+ 2008-07-21 03:38 . 2008-07-21 03:38 634368 e:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\vs_setup.msi
+ 2009-01-16 10:44 . 2009-01-16 10:44 178176 e:\windows\Installer\fdc920.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 229376 e:\windows\Installer\b6de2b.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 252416 e:\windows\Installer\b6de25.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 247296 e:\windows\Installer\b6de1f.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 294400 e:\windows\Installer\b6de19.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 215552 e:\windows\Installer\b6de13.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 296960 e:\windows\Installer\b6de0d.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 322048 e:\windows\Installer\b6de07.msi
+ 2008-12-27 23:47 . 2008-12-27 23:47 217600 e:\windows\Installer\b6de01.msi
+ 2008-12-27 23:47 . 2008-12-27 23:47 302080 e:\windows\Installer\b6ddfb.msi
+ 2008-12-27 23:47 . 2008-12-27 23:47 321536 e:\windows\Installer\b6ddf5.msi
+ 2008-12-27 23:47 . 2008-12-27 23:47 293888 e:\windows\Installer\b6ddef.msi
+ 2008-07-21 03:39 . 2008-07-21 03:39 630272 e:\windows\Installer\b1a3e.msi
+ 2007-11-08 01:34 . 2007-11-08 01:34 273920 e:\windows\Installer\aaef3.msp
+ 2008-07-21 03:38 . 2008-07-21 03:38 348160 e:\windows\Installer\aaeec.msi
+ 2007-11-07 23:07 . 2007-11-07 23:07 999936 e:\windows\Installer\9b314.msp
+ 2007-11-07 22:56 . 2007-11-07 22:56 553472 e:\windows\Installer\9b311.msp
+ 2007-11-07 22:58 . 2007-11-07 22:58 908800 e:\windows\Installer\9b30d.msp
+ 2007-11-07 22:54 . 2007-11-07 22:54 507392 e:\windows\Installer\9b30c.msp
+ 2009-07-08 04:12 . 2009-07-08 04:12 117760 e:\windows\Installer\94856f.msi
+ 2009-03-10 03:41 . 2009-03-10 03:41 366592 e:\windows\Installer\9276c7.msi
+ 2008-12-27 23:03 . 2008-12-27 23:03 850944 e:\windows\Installer\8f07d5.msi
+ 2009-01-04 21:38 . 2009-01-04 21:38 682496 e:\windows\Installer\811d5.msi
+ 2009-06-16 03:20 . 2009-06-16 03:20 446464 e:\windows\Installer\5e044.msi
+ 2008-11-10 05:22 . 2008-11-10 05:22 331264 e:\windows\Installer\4a3a18.msi
+ 2009-01-04 08:48 . 2009-01-04 08:48 867328 e:\windows\Installer\3c26a8.msi
+ 2008-11-12 08:00 . 2008-11-12 08:00 432640 e:\windows\Installer\28e9d52.msi
+ 2009-06-10 22:14 . 2009-06-10 22:14 926720 e:\windows\Installer\2367cd.msi
+ 2008-07-20 23:42 . 2008-07-20 23:42 264704 e:\windows\Installer\21711d.msi
+ 2008-10-02 06:39 . 2008-10-02 06:39 431104 e:\windows\Installer\1d524ab.msi
+ 2009-04-30 01:57 . 2009-04-30 01:57 228352 e:\windows\Installer\1c42b.msi
+ 2009-03-12 03:48 . 2009-03-12 03:48 152576 e:\windows\Installer\1b299a6.msi
+ 2009-02-24 05:56 . 2009-02-24 05:56 683008 e:\windows\Installer\18f804a.msi
+ 2008-12-10 08:27 . 2008-12-10 08:27 623616 e:\windows\Installer\174a1d.msi
+ 2008-07-21 08:31 . 2008-07-21 08:31 301056 e:\windows\Installer\13751b.msi
+ 2008-07-29 00:37 . 2008-07-29 00:37 289792 e:\windows\Installer\118f0a9.msi
+ 2006-02-28 12:00 . 2006-02-28 12:00 1326080 e:\windows\system32\webfldrs.msi
+ 2008-12-05 06:40 . 2006-02-28 12:00 1326080 e:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-12-05 06:40 . 2007-04-03 07:12 5080576 e:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2008-12-27 23:48 . 2008-12-27 23:48 1085952 e:\windows\Installer\b6de31.msi
+ 2007-11-08 01:30 . 2007-11-08 01:30 3962368 e:\windows\Installer\aaef5.msp
+ 2007-11-08 01:13 . 2007-11-08 01:13 6766592 e:\windows\Installer\aaef4.msp
+ 2007-11-08 01:26 . 2007-11-08 01:26 4340224 e:\windows\Installer\aaef1.msp
+ 2007-11-08 01:24 . 2007-11-08 01:24 5353472 e:\windows\Installer\aaef0.msp
+ 2007-11-08 01:18 . 2007-11-08 01:18 2059264 e:\windows\Installer\aaeee.msp
+ 2007-11-08 01:16 . 2007-11-08 01:16 1313280 e:\windows\Installer\aaeed.msp
+ 2007-11-07 22:50 . 2007-11-07 22:50 6055936 e:\windows\Installer\9b313.msp
+ 2007-11-07 23:00 . 2007-11-07 23:00 3407360 e:\windows\Installer\9b312.msp
+ 2007-11-07 22:46 . 2007-11-07 22:46 3010560 e:\windows\Installer\9b310.msp
+ 2007-11-07 23:02 . 2007-11-07 23:02 6473216 e:\windows\Installer\9b30f.msp
+ 2007-11-07 23:12 . 2007-11-07 23:12 2533376 e:\windows\Installer\9b30e.msp
+ 2009-07-09 04:08 . 2009-07-09 04:08 1802240 e:\windows\Installer\9028a.msi
+ 2008-07-21 02:17 . 2008-07-21 02:17 1247744 e:\windows\Installer\6fe6cf.msi
+ 2008-07-22 06:59 . 2008-07-22 06:59 1155072 e:\windows\Installer\65b06.msi
+ 2009-01-04 08:54 . 2009-01-04 08:54 3492352 e:\windows\Installer\3c2752.msi
+ 2009-01-04 08:54 . 2009-01-04 08:54 3241472 e:\windows\Installer\3c274b.msi
+ 2009-01-04 08:53 . 2009-01-04 08:53 3505664 e:\windows\Installer\3c2743.msi
+ 2009-01-04 08:51 . 2009-01-04 08:51 3285504 e:\windows\Installer\3c26f1.msi
+ 2009-01-04 08:50 . 2009-01-04 08:50 3089408 e:\windows\Installer\3c26eb.msi
+ 2009-01-04 08:50 . 2009-01-04 08:50 4908544 e:\windows\Installer\3c26e5.msi
+ 2009-01-04 08:50 . 2009-01-04 08:50 3095552 e:\windows\Installer\3c26df.msi
+ 2009-01-04 08:50 . 2009-01-04 08:50 3273216 e:\windows\Installer\3c26d9.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3083776 e:\windows\Installer\3c26d3.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3087360 e:\windows\Installer\3c26cd.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3094016 e:\windows\Installer\3c26c7.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3186176 e:\windows\Installer\3c26c1.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3073024 e:\windows\Installer\3c26bb.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3110912 e:\windows\Installer\3c26b4.msi
+ 2009-01-04 08:49 . 2009-01-04 08:49 3150848 e:\windows\Installer\3c26ae.msi
+ 2009-01-04 08:48 . 2009-01-04 08:48 3515392 e:\windows\Installer\3c269b.msi
+ 2009-01-04 08:47 . 2009-01-04 08:47 3116544 e:\windows\Installer\3c2693.msi
+ 2009-01-04 08:47 . 2009-01-04 08:47 3206144 e:\windows\Installer\3c268d.msi
+ 2009-01-04 08:47 . 2009-01-04 08:47 3146240 e:\windows\Installer\3c2687.msi
+ 2009-01-04 08:47 . 2009-01-04 08:47 3228160 e:\windows\Installer\3c2681.msi
+ 2009-01-04 08:47 . 2009-01-04 08:47 3070976 e:\windows\Installer\3c267b.msi
+ 2009-01-04 08:42 . 2009-01-04 08:42 3204096 e:\windows\Installer\3c2675.msi
+ 2009-01-15 11:35 . 2009-01-15 11:35 4830720 e:\windows\Installer\25a4490.msp
+ 2009-02-06 05:47 . 2009-02-06 05:47 8443904 e:\windows\Installer\24ede1.msi
+ 2008-11-10 03:47 . 2008-11-10 03:47 1405952 e:\windows\Installer\21f89a6.msi
+ 2008-10-05 12:12 . 2008-10-05 12:12 4784128 e:\windows\Installer\15c24dd.msp
+ 2009-02-23 23:05 . 2009-02-23 23:05 1209856 e:\windows\Installer\14f946.msi
+ 2008-12-21 05:37 . 2008-12-21 05:37 9772544 e:\windows\Installer\13923f2.msi
+ 2009-01-04 21:39 . 2009-01-04 21:39 12437504 e:\windows\Installer\811e4.msi
+ 2009-01-04 21:37 . 2009-01-04 21:37 34144256 e:\windows\Installer\811bb.msi
+ 2009-05-18 03:49 . 2009-05-18 03:49 13947392 e:\windows\Installer\29cc15.msi
+ 2009-02-06 05:47 . 2009-02-06 05:47 21780992 e:\windows\Installer\24ede2.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
//CONTINUED IN NEXT POST

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Sun Jul 12, 2009 11:16 pm

//CONTINUATION
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="e:\documents and settings\doublehawk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="e:\program files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"EverioService"="e:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-12-27 151552]
"Zune Launcher"="e:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"StartCCC"="e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="e:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"WTClient"="WTClient.exe" - e:\windows\system32\WTClient.exe [2007-04-11 40960]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2008-12-30 18082304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"m:\\Steam\\steamapps\\metroid5050\\team fortress 2\\hl2.exe"=
"e:\\Documents and Settings\\doublehawk\\Desktop\\Marathon Infinity\\AlephOne.exe"=
"m:\\Steam\\steamapps\\metroid5050\\half-life\\hl.exe"=
"m:\\Steam\\steamapps\\metroid5050\\day of defeat source\\hl2.exe"=
"m:\\Steam\\steamapps\\metroid5050\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"m:\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"m:\\Steam\\Steam.exe"=
"e:\\WINDOWS\\system32\\PnkBstrA.exe"=
"e:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"m:\\Steam\\steamapps\\common\\grand theft auto san andreas\\gta-sa.exe"=
"m:\\Steam\\steamapps\\common\\max payne\\maxpayne.exe"=
"m:\\Steam\\steamapps\\common\\max payne 2 the fall of max payne\\maxpayne2.exe"=
"m:\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"m:\\Steam\\steamapps\\metroid5050\\darwinia\\darwinia.exe"=
"m:\\Steam\\steamapps\\common\\ultimate doom\\ultimate.bat"=
"m:\\Steam\\steamapps\\common\\deus ex\\System\\DeusEx.exe"=
"m:\\Steam\\steamapps\\common\\fallout 3\\Fallout3.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Documents and Settings\\doublehawk\\Desktop\\utorrent.exe"=
"m:\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"m:\\Steam\\steamapps\\common\\peggle nights\\PeggleNights.exe"=
"m:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"m:\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"m:\\Steam\\steamapps\\common\\blueberry garden\\BlueberryGarden.exe"=
"m:\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [4/29/2009 7:11 PM 108289]
R2 WinDefend;Windows Defender;e:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;e:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 7:40 PM 84992]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 951632]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;e:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 e:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-07-05 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-813497703-1801674531-1003Core.job
- e:\documents and settings\doublehawk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 23:34]

2009-07-10 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-813497703-1801674531-1003UA.job
- e:\documents and settings\doublehawk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 23:34]

2009-07-12 e:\windows\Tasks\MP Scheduled Scan.job
- e:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - e:\documents and settings\doublehawk\Application Data\Mozilla\Firefox\Profiles\z3io3kjg.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: e:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: e:\documents and settings\doublehawk\Application Data\Mozilla\Firefox\Profiles\z3io3kjg.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: e:\documents and settings\doublehawk\Application Data\Mozilla\Firefox\Profiles\z3io3kjg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: e:\documents and settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-12 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-813497703-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:1c,9a,9d,a4,99,57,67,41,b9,a7,ab,b3,a9,bf,eb,dd,cc,12,e1,c9,29,
7b,a6,01,d0,1a,c4,39,f7,a1,ce,a2,a8,32,84,78,52,c4,88,fe,28,a9,85,aa,e6,51,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
e:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3648)
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-12 15:55
ComboFix-quarantined-files.txt 2009-07-12 22:54
ComboFix2.txt 2009-07-12 19:31

Pre-Run: 20,993,536,000 bytes free
Post-Run: 20,968,075,264 bytes free

272 --- E O F --- 2009-07-10 04:53

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Mon Jul 13, 2009 12:05 am

Hmm, something is not right here.
Open this file in notepad:

C:\boot.ini

DO NOT MODIFY THIS FILE!!
Copy and paste what's inside it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Mon Jul 13, 2009 12:20 am

I am going to assume you want "E:\boot.ini" since that is the name of the drive I installed Windows to.

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
E:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Wed Jul 15, 2009 8:02 pm

bump

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Belahzur on Wed Jul 15, 2009 9:01 pm

Sorry for the delay, your topic got pushed back.

Is the cmdcons folder present on the E:\ drive? [folder will be hidden, so you may need to show hidden files to see it]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Thu Jul 16, 2009 1:49 am

Yes, I'm looking at E:\cmdcons right now. What do you need?

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Origin on Thu Jul 16, 2009 4:33 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3
Points : 31443
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Fri Jul 17, 2009 4:47 am

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 21:44:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT BA7920AE ZwCreateKey
SSDT BA7920A4 ZwCreateThread
SSDT BA7920B3 ZwDeleteKey
SSDT BA7920BD ZwDeleteValueKey
SSDT BA7920C2 ZwLoadKey
SSDT BA792090 ZwOpenProcess
SSDT BA792095 ZwOpenThread
SSDT BA7920CC ZwReplaceKey
SSDT BA7920C7 ZwRestoreKey
SSDT BA7920B8 ZwSetValueKey
SSDT BA79209F ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DA2B80
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DA2B3D
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DA2B01
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DA2AE6
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DA2972
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DA2A64
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DA29AA
.text e:\WINDOWS\system32\ZuneBusEnum.exe[320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DA29E2
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00FD2B80
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00FD2B3D
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00FD2B01
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FD2AE6
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FD2972
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FD2A64
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FD29AA
.text E:\Program Files\Windows Defender\MsMpEng.exe[976] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FD29E2
.text E:\WINDOWS\System32\alg.exe[1152] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B52B80
.text E:\WINDOWS\System32\alg.exe[1152] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B52B3D
.text E:\WINDOWS\System32\alg.exe[1152] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B52B01
.text E:\WINDOWS\System32\alg.exe[1152] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B52AE6
.text E:\WINDOWS\System32\alg.exe[1152] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B52972
.text E:\WINDOWS\System32\alg.exe[1152] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B52A64
.text E:\WINDOWS\System32\alg.exe[1152] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B529AA
.text E:\WINDOWS\System32\alg.exe[1152] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B529E2
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DC2B80
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DC2B3D
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DC2B01
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DC2AE6
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DC2972
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DC2A64
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DC29AA
.text E:\WINDOWS\system32\wbem\wmiprvse.exe[1336] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DC29E2
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01792B80
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01792B3D
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01792B01
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01792AE6
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01792972
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01792A64
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017929AA
.text E:\Program Files\Avira\AntiVir Desktop\sched.exe[1436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017929E2
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01302B80
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01302B3D
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01302B01
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01302AE6
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01302972
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01302A64
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013029AA
.text E:\Program Files\Avira\AntiVir Desktop\avguard.exe[1624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013029E2
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EA2B80
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EA2B3D
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EA2B01
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA2AE6
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA2972
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA2A64
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA29AA
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2300] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA29E2
.text E:\WINDOWS\Explorer.EXE[2552] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01452B80
.text E:\WINDOWS\Explorer.EXE[2552] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01452B3D
.text E:\WINDOWS\Explorer.EXE[2552] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01452B01
.text E:\WINDOWS\Explorer.EXE[2552] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01452AE6
.text E:\WINDOWS\Explorer.EXE[2552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01452972
.text E:\WINDOWS\Explorer.EXE[2552] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01452A64
.text E:\WINDOWS\Explorer.EXE[2552] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014529AA
.text E:\WINDOWS\Explorer.EXE[2552] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014529E2
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2832] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by dhawk on Fri Jul 17, 2009 4:47 am

.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00BD2B80
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00BD2B3D
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00BD2B01
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BD2AE6
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BD2972
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BD2A64
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BD29AA
.text E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2836] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BD29E2
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 017E2B80
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 017E2B3D
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 017E2B01
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017E2AE6
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017E2972
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017E2A64
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017E29AA
.text E:\Program Files\CyberLink\PCM4Everio\EverioService.exe[2844] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017E29E2
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03822B80
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03822B3D
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03822B01
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03822AE6
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03822972
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03822A64
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 038229AA
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 038229E2
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 011B2B80
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 011B2B3D
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 011B2B01
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011B2AE6
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011B2972
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011B2A64
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011B29AA
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[2980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011B29E2
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3208] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
.text E:\Documents and Settings\doublehawk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3236] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03912B80
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03912B3D
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03912B01
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03912AE6
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03912972
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03912A64
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 039129AA
.text E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 039129E2

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\00000042 8939A250
Device \Driver\ACPI \Device\00000050 8939A250
Device \Driver\ACPI \Device\00000045 8939A250
Device \Driver\ACPI \Device\00000053 8939A250
Device \Driver\ACPI \Device\00000046 8939A250
Device \Driver\ACPI \Device\00000054 8939A250
Device \Driver\ACPI \Device\00000047 8939A250
Device \Driver\ACPI \Device\00000061 8939A250
Device \Driver\ACPI \Device\00000055 8939A250
Device \Driver\ACPI \Device\00000062 8939A250
Device \Driver\ACPI \Device\00000065 8939A250
Device \Driver\ACPI \Device\00000059 8939A250
Device \Driver\ACPI \Device\00000066 8939A250
Device \Driver\ACPI \Device\00000067 8939A250
Device \Driver\ACPI \Device\00000068 8939A250
Device \Driver\ACPI \Device\0000004c 8939A250
Device \Driver\ACPI \Device\0000005a 8939A250
Device \Driver\ACPI \Device\0000005b 8939A250
Device \Driver\ACPI \Device\0000005c 8939A250
Device \Driver\ACPI \Device\0000004f 8939A250
Device \Driver\ACPI \Device\0000005d 8939A250
Device \Driver\ACPI \Device\0000005e 8939A250

---- EOF - GMER 1.0.15 ----

dhawk
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-07-09
OS : XP
Points : 27043
# Likes : 0

View user profile

Back to top Go down

Re: Help removing BOO/Sinowal.E

Post by Origin on Fri Jul 17, 2009 11:44 pm

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3
Points : 31443
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum