Sinowal (Boot sector virus), Help request

View previous topic View next topic Go down

Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:03 pm

Greetings,

I have been contacted by my bank saying that I have a boot sector virus called "sinowal" on my system and that I should get rid of it. However, they are kind enough not to tell me how apart from saying "google it". So I am here, hoping for some help. I must here mention that although the bank representative has mentioned that I have a sinowal, I believe it can be any stealthy boot system trojan that is out there at the moment.

I have 3 partitions. One Vista 64 for games and general web-surfing. One XP 32 for work/research and a file storage with no OS.
I use online banking mainly on XP but sometimes have used it on 64.

My question is: how do I find the trojan/virus (especially since its in the boot sector), how do I get rid of it (perhaps a boot sector wipe/fix?) and whether I need to now change all my passwords as I believe this stealthy sob has been running for some time? Also any suggestions as to what currently is the best free firewall/antivirus protection out there would be greatly appreciated.

Hijackthis info (Vista 64, please do let me know if you need the same for my XP partition):
-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:34, on 01/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\EVEMon\EVEMon.exe
C:\Program Files (x86)\Launchy\Launchy.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\AVG\AVG8\avgui.exe
C:\Users\Yozaurious\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [EVEMon] "C:\Program Files (x86)\EVEMon\EVEMon.exe" -startMinimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Launchy.lnk = C:\Program Files (x86)\Launchy\Launchy.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7672 bytes

-------------------------------

I would really appreciate some advice as I have tried googling a solution, but in vain.

Thank you in advance.

Kind regards,

Yozaurious

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Belahzur on 1st December 2008, 11:08 pm

Hello.
Please do this.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum


The OTViewIt.txt can quite long, so please make sure you have posted it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:40 pm

Wrong info


Last edited by Yozaurious on 1st December 2008, 11:47 pm; edited 1 time in total

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:41 pm

Wrong info


Last edited by Yozaurious on 1st December 2008, 11:47 pm; edited 1 time in total

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:43 pm

Wrong info


Last edited by Yozaurious on 1st December 2008, 11:47 pm; edited 1 time in total

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:44 pm

Wrong info


Last edited by Yozaurious on 1st December 2008, 11:47 pm; edited 1 time in total

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:44 pm

Apologies for the mishap. The following are the 60 day otviewit reports.


Last edited by Yozaurious on 1st December 2008, 11:54 pm; edited 1 time in total

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:52 pm

OTViewIt Extras logfile created on: 01/12/2008 23:48:16 - Run 5
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Users\Yozaurious\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 43.69% Memory free
4.00 Gb Paging File | 2.94 Gb Available in Paging File | 73.58% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 300.00 Gb Total Space | 146.51 Gb Free Space | 48.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 350.00 Gb Total Space | 231.69 Gb Free Space | 66.20% Space Free | Partition Type: NTFS
Drive H: | 48.63 Gb Total Space | 29.63 Gb Free Space | 60.94% Space Free | Partition Type: NTFS
Drive I: | 970.74 Mb Total Space | 454.37 Mb Free Space | 46.81% Space Free | Partition Type: FAT32

Computer Name: AL
Current User Name: Yozaurious
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 60 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"DisableNotifications"=0
"EnableFirewall"=1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] -- C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] -- C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] -- C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] -- C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000005 [mdnsNSP] -- C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - Default Protocols
ldap -- 4 = Restricted sites (Not a Default Protocol)
news -- 4 = Restricted sites (Not a Default Protocol)
nntp -- 4 = Restricted sites (Not a Default Protocol)
oecmd -- 4 = Restricted sites (Not a Default Protocol)
snews -- 4 = Restricted sites (Not a Default Protocol)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/10/02 03:49:15 | 03,578,880 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll (about:{3050F406-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML About Pluggable Protocol])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (cdl:{3dd53d40-7b8b-11D0-b013-00aa0059ce02} (HKLM) [CDL: Asychronous Pluggable Protocol Handler])
[2008/01/19 07:35:15 | 01,544,704 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll (dvd:{12D51199-0DB5-46FE-A120-47A3D7D937CC} (HKLM) [DVD: Pluggable Protocol])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (file:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (ftp:{79eac9e3-baf9-11ce-8c82-00aa004ba90b} (HKLM) [ftp: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (http:{79eac9e2-baf9-11ce-8c82-00aa004ba90b} (HKLM) [http: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (https:{79eac9e5-baf9-11ce-8c82-00aa004ba90b} (HKLM) [https: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:15 | 03,578,880 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll (javascript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])
[2008/07/03 16:57:18 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (local:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:15 | 03,578,880 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll (mailto:{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Mailto Pluggable Protocol])
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll (mk:{79eac9e6-baf9-11ce-8c82-00aa004ba90b} (HKLM) [mk: Asychronous Pluggable Protocol Handler])
[2008/10/02 03:49:15 | 03,578,880 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll (res:{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Resource Pluggable Protocol])
[2008/04/23 16:45:34 | 01,942,864 | R--- | M] (Skype Technologies) C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])
[2008/01/19 07:35:15 | 01,544,704 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll (tv:{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} (HKLM) [TV: Pluggable Protocol])
[2008/10/02 03:49:15 | 03,578,880 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll (vbscript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll deflate:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP encoding/decoding Filters]
[2008/10/02 03:49:19 | 01,166,336 | ---- | M] (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll gzip:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP encoding/decoding Filters]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}"=Crysis(R)
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{021C4C4F-C93C-4425-BFFD-C2D16776BFAE}"=Visual C++ 8.0 Runtime Setup Package (x64)
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}"=Apple Software Update
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}"=Steam
"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}"=Company of Heroes - FAKEMSI
"{14D10AAC-9737-454E-A247-8075C26C30E1}"=SILENT HILL 3
"{199E6632-EB28-4F73-AECB-3E192EB92D18}"=Company of Heroes - FAKEMSI
"{1F698102-5739-441E-96F0-74F4EA540F06}"=Attansic Ethernet Utility
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}"=Norton PartitionMagic
"{2300EE96-0A41-4FAB-BD03-989EC44577A0}"=Acronis Disk Director Suite
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}"=Company of Heroes - FAKEMSI
"{296D8550-CB06-48E4-9A8B-E5034FB64715}"=Command & Conquer™ Red Alert™ 3
"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}"=Company of Heroes - FAKEMSI
"{3BD633E0-4BF8-4499-9149-88F0767D449C}"=Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}"=Bonjour
"{4D87DC92-C328-46EC-A7B4-9C88129DC696}"=Dead Space™
"{50193078-F553-4EBA-AA77-64C9FAA12F98}"=Company of Heroes - FAKEMSI
"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}"=Company of Heroes - FAKEMSI
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}"=neroxml
"{5731C0A8-B266-451A-8D3F-8066AA21836F}"=Tom Clancy's Rainbow Six Vegas
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.8
"{66EBD70F-A42C-475F-AEDF-277378151033}"=Nero 7 Essentials
"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}"=Company of Heroes - FAKEMSI
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}"=Windows Media Player Firefox Plugin
"{6E19F210-3813-4002-B561-94D66AA182B6}"=Attansic L1 Gigabit Ethernet Driver
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}"=3DMark06
"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}"=Company of Heroes - FAKEMSI
"{80D03817-7943-4839-8E96-B9F924C5E67D}"=Company of Heroes - FAKEMSI
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{97E5205F-EA4F-438F-B211-F1846419F1C1}"=Company of Heroes - FAKEMSI
"{99A7722D-9ACB-43F3-A222-ABC7133F159E}"=Company of Heroes - FAKEMSI
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{A7E07C2B-2220-4415-87E3-784D5814BC93}"=NVIDIA PhysX v8.09.04
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{BA801B94-C28D-46EE-B806-E1E021A3D519}"=Company of Heroes - FAKEMSI
"{D4D244D1-05E0-4D24-86A2-B2433C435671}"=Company of Heroes - FAKEMSI
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}"=BioShock
"{E48469CC-635E-4FD5-A122-1497C286D217}"=Call of Duty(R) 4 - Modern Warfare(TM)
"{EAF636A9-F664-4703-A659-85A894DA264F}"=Company of Heroes - FAKEMSI
"Adobe AIR"=Adobe AIR

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:52 pm

"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Age of Conan_is1"=Age of Conan - Hyborian Adventures
"a-squared Free_is1"=a-squared Free 3.5
"AudioCS"=Creative Audio Console
"AVG8Uninstall"=AVG Free 8.0
"Azureus Vuze"=Azureus Vuze
"CCleaner"=CCleaner (remove only)
"Cellfactor Revolution"=Cellfactor Revolution 1.03
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"Company of Heroes"=Company of Heroes
"Creative Software AutoUpdate"=Creative Software AutoUpdate
"EasyBCD"=EasyBCD 1.7.2
"EVE"=EVE-ONLINE (remove only)
"EVEMon"=EVEMon
"G-Force"=G-Force
"Hamachi"=Hamachi 1.0.2.5
"HijackThis"=HijackThis 2.0.2
"InstallShield_{14D10AAC-9737-454E-A247-8075C26C30E1}"=SILENT HILL 3
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}"=Norton PartitionMagic 8.0
"InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C}"=Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}"=Call of Duty(R) 4 - Modern Warfare(TM)
"Launchy_21344213_is1"=Launchy 1.25
"Magic ISO Maker v5.4 (build 0256)"=Magic ISO Maker v5.4 (build 0256)
"Mozilla Firefox (2.0.0.18)"=Mozilla Firefox (2.0.0.18)
"PunkBusterSvc"=PunkBuster Services
"RivaTuner"=RivaTuner v2.08
"S.T.A.L.K.E.R. - Shadow of Chernobyl_is1"=S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0001]
"SopCast"=SopCast 3.0.3
"SpeedFan"=SpeedFan (remove only)
"Steam App 10"=Counter-Strike
"Steam App 10050"=Enemy Territory: QUAKE Wars Demo 2.0
"Steam App 13210"=Unreal Tournament 3
"Steam App 220"=Half-Life 2
"Steam App 240"=Counter-Strike: Source
"Steam App 340"=Half-Life 2: Lost Coast
"Steam App 3483"=Peggle Extreme
"Steam App 380"=Half-Life 2: Episode One
"Steam App 400"=Portal
"Steam App 420"=Half-Life 2: Episode Two
"Steam App 440"=Team Fortress 2
"Steam App 500"=Left 4 Dead
"VLC media player"=VideoLAN VLC media player 0.8.6f
"WinRAR archiver"=WinRAR archiver
"Xfire"=Xfire (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/11/2008 19:20:01 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x470c11ae,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x4877aa9a,
exception code 0xc0000005, fault offset 0x026272c9, process id 0x120c, application
start time 0x01c9501b9e31183f.

Error - 27/11/2008 19:18:55 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x470c11ae,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x4877aa9a,
exception code 0xc0000005, fault offset 0x026072c9, process id 0x127c, application
start time 0x01c950dde51d3967.

Error - 27/11/2008 19:19:32 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 11.0.6001.7000, time stamp
0x47919356, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a783,
exception code 0xc0000374, fault offset 0x000aada3, process id 0x11ec, application
start time 0x01c950b49a3fb6d7.

Error - 28/11/2008 10:32:53 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x470c11ae,
faulting module filesystem_steam.dll_unloaded, version 0.0.0.0, time stamp 0x4877aa9a,
exception code 0xc0000005, fault offset 0x030272c9, process id 0x6d0, application
start time 0x01c9515f6a328ec1.

Error - 28/11/2008 13:46:43 | Computer Name = AL | Source = System Restore | ID = 8193
Description =

Error - 30/11/2008 16:52:47 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x470c11ae,
faulting module vstdlib.dll, version 0.0.0.0, time stamp 0x4877a5bc, exception
code 0xc0000005, fault offset 0x00001432, process id 0xbe4, application start time
0x01c9532d5872efb8.

Error - 30/11/2008 16:52:51 | Computer Name = AL | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, time stamp 0x470c11ae,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x75bba57d, process id 0xbe4, application start time 0x01c9532d5872efb8.

Error - 01/12/2008 02:52:48 | Computer Name = AL | Source = System Restore | ID = 8193
Description =

Error - 01/12/2008 07:05:37 | Computer Name = AL | Source = System Restore | ID = 8193
Description =

Error - 01/12/2008 18:25:41 | Computer Name = AL | Source = System Restore | ID = 8193
Description =

[ Media Center Events ]
Error - 16/11/2008 10:12:38 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:13:22 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:13:40 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:13:49 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:14:03 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:14:13 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:14:19 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:18:32 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 10:38:20 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 16/11/2008 11:10:50 | Computer Name = AL | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

[ System Events ]
Error - 15/10/2008 15:09:03 | Computer Name = AL | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\PQNTDrv.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 15/10/2008 15:09:18 | Computer Name = AL | Source = HTTP | ID = 15016
Description =

Error - 15/10/2008 15:11:13 | Computer Name = AL | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\PQNTDrv.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 15/10/2008 15:11:28 | Computer Name = AL | Source = HTTP | ID = 15016
Description =

Error - 15/10/2008 19:01:54 | Computer Name = AL | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\PQNTDrv.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 15/10/2008 19:02:09 | Computer Name = AL | Source = HTTP | ID = 15016
Description =

Error - 15/10/2008 19:14:10 | Computer Name = AL | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\PQNTDrv.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 15/10/2008 19:14:25 | Computer Name = AL | Source = HTTP | ID = 15016
Description =

Error - 16/10/2008 02:46:24 | Computer Name = AL | Source = Application Popup | ID = 1060
Description = \SystemRoot\SysWow64\Drivers\PQNTDrv.SYS has been blocked from loading
due to incompatibility with this system. Please contact your software vendor for
a compatible version of the driver.

Error - 16/10/2008 02:46:39 | Computer Name = AL | Source = HTTP | ID = 15016
Description =


< End of report >

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:53 pm

OTViewIt logfile created on: 01/12/2008 23:48:16 - Run 5
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Users\Yozaurious\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 43.69% Memory free
4.00 Gb Paging File | 2.94 Gb Available in Paging File | 73.58% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 300.00 Gb Total Space | 146.51 Gb Free Space | 48.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 350.00 Gb Total Space | 231.69 Gb Free Space | 66.20% Space Free | Partition Type: NTFS
Drive H: | 48.63 Gb Total Space | 29.63 Gb Free Space | 60.94% Space Free | Partition Type: NTFS
Drive I: | 970.74 Mb Total Space | 454.37 Mb Free Space | 46.81% Space Free | Partition Type: FAT32

Computer Name: AL
Current User Name: Yozaurious
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 60 Days

========== Processes ==========

[2007/06/01 09:21:08 | 00,153,136 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
[2007/04/20 07:58:52 | 00,552,960 | ---- | M] (Code Jelly) -- C:\Program Files (x86)\Launchy\Launchy.exe
[2008/11/27 13:51:26 | 01,261,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgtray.exe
[2008/03/30 09:36:40 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\iTunes\iTunesHelper.exe
[2006/11/02 09:45:37 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\rundll32.exe
[2007/07/17 23:32:55 | 00,460,048 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
[2008/10/01 12:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/09/23 09:54:01 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe
[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe
[2008/04/26 11:38:15 | 00,066,872 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
[2008/09/23 09:54:02 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe
[2008/03/30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\iPod\bin\iPodService.exe
[2007/06/01 09:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
[2007/06/01 09:21:30 | 01,209,904 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
[2008/11/14 08:02:13 | 07,676,528 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
[2008/10/21 21:13:06 | 02,769,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgui.exe
[2008/06/06 13:24:10 | 00,651,888 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\a-squared Free\a2service.exe
[2008/06/03 12:37:42 | 00,921,712 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\a-squared Free\a2free.exe
[2008/12/01 23:09:54 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Users\Yozaurious\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/02/22 18:53:16 | 02,217,416 | ---- | M] () -- C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe -- (AcronisOSSReinstallSvc [Auto | Stopped])
[2008/10/01 12:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008/09/23 09:54:02 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2008/09/23 09:54:01 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
File not found -- -- (CertPropSvc [Unknown | Running])
[2008/01/05 11:26:41 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/01/05 11:25:45 | 00,093,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
File not found -- -- (DcomLaunch [Unknown | Running])
File not found -- -- (DPS [Unknown | Running])
[2008/01/19 08:00:14 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr [On_Demand | Stopped])
[2008/01/19 08:00:14 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
[2008/01/05 11:23:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
File not found -- -- (gpsvc [Unknown | Running])

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:53 pm

[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/03/30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2006/11/02 09:46:05 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\keyiso.dll -- (KeyIso [On_Demand | Stopped])
[2006/11/02 13:34:14 | 00,000,000 | ---D | M] -- C:\Windows\System32\Msdtc -- (MSDTC [Unknown | Stopped])
[2007/04/13 20:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
[2008/01/19 07:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
[2008/01/05 11:23:05 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007/06/01 09:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Running])
File not found -- -- (nvsvc [Auto | Running])
[2008/01/19 07:33:19 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\perfhost.exe -- (PerfHost [On_Demand | Stopped])
[2008/04/26 11:38:15 | 00,066,872 | ---- | M] () -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
File not found -- -- (RpcSs [Unknown | Running])
[2008/01/19 07:36:19 | 00,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SCardSvr.dll -- (SCardSvr [Unknown | Stopped])
File not found -- -- (Schedule [Unknown | Running])
File not found -- -- (SCPolicySvc [Unknown | Stopped])
[2008/11/22 12:18:38 | 00,104,944 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service [On_Demand | Stopped])
[2006/11/02 06:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\System32\wbem\vds.mof -- (vds [On_Demand | Stopped])
[2006/11/02 06:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\System32\wbem\vss.mof -- (VSS [On_Demand | Stopped])
File not found -- -- (WdiServiceHost [Unknown | Stopped])
File not found -- -- (WdiSystemHost [Unknown | Running])
[2008/01/19 08:00:47 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
[2008/01/19 07:33:28 | 00,302,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe -- (WSearch [Auto | Running])
[2008/06/06 13:24:10 | 00,651,888 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\a-squared Free\a2service.exe -- (a2free [Auto | Running])

========== Driver Services ==========

[2008/01/19 08:12:01 | 00,486,456 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adp94xx.inf_31bf3856ad364e35_6.0.6001.18000_none_5e0fcb9b69814f7b\adp94xx.sys -- (adp94xx [Disabled | Stopped])
[2008/01/19 08:11:40 | 00,342,584 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpahci.inf_31bf3856ad364e35_6.0.6001.18000_none_c05c13aa3dfbc961\adpahci.sys -- (adpahci [Disabled | Stopped])
[2008/01/19 08:10:01 | 00,126,520 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpu160m.inf_31bf3856ad364e35_6.0.6001.18000_none_f2feed0b63bf261d\adpu160m.sys -- (adpu160m [Disabled | Stopped])
[2008/01/19 08:11:12 | 00,185,912 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_adpu320.inf_31bf3856ad364e35_6.0.6001.18000_none_f4cbbad1148c6b4a\adpu320.sys -- (adpu320 [Disabled | Stopped])
[2008/01/19 05:09:33 | 00,018,488 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_375215c7dcd73562\aliide.sys -- (aliide [Disabled | Stopped])
[2008/01/19 08:09:34 | 00,090,680 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_arc.inf_31bf3856ad364e35_6.0.6001.18000_none_7bfed8c7803713cf\arc.sys -- (arc [Disabled | Stopped])
[2008/01/19 08:09:37 | 00,091,192 | ---- | M] (Adaptec, Inc.) -- C:\Windows\WinSxS\amd64_arcsas.inf_31bf3856ad364e35_6.0.6001.18000_none_771684264153c2d4\arcsas.sys -- (arcsas [Disabled | Stopped])
File not found -- -- (AtcL001 [On_Demand | Running])
File not found -- -- (AvgLdx64 [System | Running])
File not found -- -- (AvgMfx64 [System | Running])
File not found -- -- (AvgWfpA [On_Demand | Running])
[2006/09/18 21:30:15 | 00,018,432 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\WinSxS\amd64_brmfcsto.inf_31bf3856ad364e35_6.0.6001.18000_none_800ff95700142785\BrFiltLo.sys -- (BrFiltLo [On_Demand | Stopped])
[2006/09/18 21:30:15 | 00,008,704 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\WinSxS\amd64_brmfcsto.inf_31bf3856ad364e35_6.0.6001.18000_none_800ff95700142785\BrFiltUp.sys -- (BrFiltUp [On_Demand | Stopped])
[2008/01/19 05:09:39 | 00,020,536 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_375215c7dcd73562\cmdide.sys -- (cmdide [Disabled | Stopped])
File not found -- -- (DAdderFltr [On_Demand | Running])
[2008/01/05 11:22:47 | 00,146,176 | ---- | M] (Intel Corporation) -- C:\Windows\WinSxS\amd64_nete1g3e.inf_31bf3856ad364e35_6.0.6001.18000_none_04b0c96be9c034d3\E1G6032E.sys -- (E1G60 [On_Demand | Stopped])
[2008/01/19 08:11:53 | 00,397,368 | ---- | M] (Emulex) -- C:\Windows\WinSxS\amd64_elxstor.inf_31bf3856ad364e35_6.0.6001.18000_none_08ac13ff69b034ee\elxstor.sys -- (elxstor [Disabled | Stopped])
File not found -- -- (HdAudAddService [On_Demand | Running])
[2008/01/19 08:08:42 | 00,047,672 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\WinSxS\amd64_hpcisss.inf_31bf3856ad364e35_6.0.6001.18000_none_d59c6600292b9522\HpCISSs.sys -- (HpCISSs [Disabled | Stopped])
[2008/01/19 08:11:31 | 00,290,872 | ---- | M] (Intel Corporation) -- C:\Windows\WinSxS\amd64_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_0b2fedfc40256bc5\iaStorV.sys -- (iaStorV [Disabled | Stopped])
[2008/01/19 08:09:57 | 00,113,720 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_fc.inf_31bf3856ad364e35_6.0.6001.18000_none_c59b4ac1fa719137\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
[2008/01/19 08:09:48 | 00,105,016 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_sas.inf_31bf3856ad364e35_6.0.6001.18000_none_5b86b7f9e8ff0dc5\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
[2008/01/19 08:09:56 | 00,113,720 | ---- | M] (LSI Logic) -- C:\Windows\WinSxS\amd64_lsi_scsi.inf_31bf3856ad364e35_6.0.6001.18000_none_f883c787da42af0c\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
[2008/01/19 08:08:18 | 00,035,896 | ---- | M] (LSI Corporation) -- C:\Windows\WinSxS\amd64_megasas.inf_31bf3856ad364e35_6.0.6001.18000_none_8c5ef0c0070fb814\megasas.sys -- (megasas [Disabled | Stopped])
[2008/04/28 17:40:30 | 00,001,088 | ---- | M] () -- C:\Windows\System32\wbem\mpsdrv.mof -- (mpsdrv [On_Demand | Running])
File not found -- -- (MTsensor [On_Demand | Running])
[2006/10/14 03:04:34 | 05,942,912 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nv_lh.inf_31bf3856ad364e35_6.0.6001.18000_none_4a8627558332bbba\nvlddmkm.sys -- (nvlddmkm [On_Demand | Running])
[2008/01/19 08:10:12 | 00,128,056 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvraid.sys -- (nvraid [Disabled | Stopped])
[2008/01/19 08:08:50 | 00,054,328 | ---- | M] (NVIDIA Corporation) -- C:\Windows\WinSxS\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvstor.sys -- (nvstor [Disabled | Stopped])
File not found -- -- (P17 [On_Demand | Running])
[2004/05/05 20:48:40 | 00,004,228 | ---- | M] (PowerQuest Corporation) -- C:\Windows\System32\drivers\PQNTDRV.sys -- (PQNTDrv [System | Stopped])
[2008/01/19 08:12:10 | 01,221,176 | ---- | M] (QLogic Corporation) -- C:\Windows\WinSxS\amd64_ql2300.inf_31bf3856ad364e35_6.0.6001.18000_none_90b29e0f5eb4b0a1\ql2300.sys -- (ql2300 [Disabled | Stopped])
[2008/04/27 12:57:57 | 00,019,952 | ---- | M] () -- C:\Program Files (x86)\Rivatuner\RivaTuner64.sys -- (RivaTuner64 [On_Demand | Stopped])
[2006/09/29 23:51:44 | 00,023,040 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\WinSxS\amd64_macrovision-protection-safedisc_31bf3856ad364e35_6.0.6000.16386_none_b794b0d578b7ec2e\secdrv.sys -- (secdrv [Auto | Running])
[2008/01/19 08:09:28 | 00,078,392 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\WinSxS\amd64_sisraid4.inf_31bf3856ad364e35_6.0.6001.18000_none_8460e59f708bb476\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
File not found -- -- (snapman [Boot | Running])
[2007/02/07 18:27:46 | 00,014,104 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan [Boot | Running])
File not found -- -- (sptd [Boot | Running])
[2006/09/18 21:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\System32\wbem\tcpip.mof -- (Tcpip [Boot | Running])
[2008/01/19 08:11:28 | 00,284,728 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\WinSxS\amd64_uliahci.inf_31bf3856ad364e35_6.0.6001.18000_none_a21b1cbb80e47096\uliahci.sys -- (uliahci [Disabled | Stopped])
[2006/11/02 11:51:19 | 00,174,696 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\WinSxS\amd64_ulsata2.inf_31bf3856ad364e35_6.0.6001.18000_none_9ce1027f4768b389\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
[2008/01/19 05:11:26 | 00,020,536 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\WinSxS\amd64_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_375215c7dcd73562\viaide.sys -- (viaide [Disabled | Stopped])
[2008/01/19 08:10:22 | 00,149,048 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\WinSxS\amd64_vsmraid.inf_31bf3856ad364e35_6.0.6001.18000_none_508698a452d25e17\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
::1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (HKLM) -- C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files (x86)\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AVG8_TRAY"=C:\PROGRA~2\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" (Apple Inc.)
"P17RunE"=RunDll32 P17RunE.dll,RunDLLEntry (Creative Technology Ltd.)
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime (Apple Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" (Nero AG)
"ehTray.exe"=C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
"EVEMon"="C:\Program Files (x86)\EVEMon\EVEMon.exe" -startMinimized (EVEMon Development Team)
"Steam"="c:\program files (x86)\steam\steam.exe" -silent (Valve Corporation)
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"ConsentPromptBehaviorAdmin"=2
"ConsentPromptBehaviorUser"=1
"EnableInstallerDetection"=1

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:54 pm

"EnableLUA"=0
"EnableSecureUIAPaths"=1
"EnableVirtualization"=1
"PromptOnSecureDesktop"=1
"ValidateAdminCodeSignatures"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"FilterAdministratorToken"=0
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=1
"CF_BITMAP"=2
"CF_OEMTEXT"=7
"CF_DIB"=8
"CF_PALETTE"=9
"CF_UNICODETEXT"=13
"CF_DIBV5"=17

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{77BF5300-1474-4EC7-9980-D32B190E9B07}: Button: Skype -- %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008/04/23 16:45:36 | 01,377,576 | ---- | M] (Skype Technologies S.A.)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{D27CDB6E-AE6D-11CF-96B8-444553540000}: [You must be registered and logged in to see this link.] -- Shockwave Flash Object
{F6ACF75C-C32C-447B-9BEF-46B766368D29}: [You must be registered and logged in to see this link.] -- Creative Software AutoUpdate Support Package

========== (O17) DNS Name Servers ==========

{1236E41D-CA81-4FD5-8E36-B3E8FC518461} (Servers: | Description: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller)
{36C036E3-E7AD-4E2C-84FA-0156DA83BB09} (Servers: | Description: )

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=explorer.exe
>[2008/01/19 07:33:10 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\explorer.exe


========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"={E6FB5E20-DE35-11CF-9C87-00AA005127ED} (HKLM) -- C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=credssp.dll
>[2008/01/19 07:33:59 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\credssp.dll

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,tspkg,
>[2008/01/19 07:36:42 | 00,062,464 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TSpkg.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/09/30 10:49:44 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{639dfc8e-1f8a-11dd-aded-001e8c26af2e}\Shell]
""=AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{639dfc8e-1f8a-11dd-aded-001e8c26af2e}\Shell\AutoRun\command]
""=F:\setup.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f78ba35-b252-11dd-91fa-001e8c26af2e}\Shell\AutoRun\command]
""=I:\WD_Windows_Tools\Setup.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad36d85f-1567-11dd-b066-001e8c26af2e}\Shell]
""=AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad36d85f-1567-11dd-b066-001e8c26af2e}\Shell\AutoRun\command]
""=E:\Autorun.exe -- File not found

========== Files/Folders - Created Within 60 Days ==========

[2008/12/01 23:09:54 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Users\Yozaurious\Desktop\OTViewIt.exe
[2008/12/01 23:08:36 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\Documents\a-squared Free
[2008/12/01 23:08:36 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\a-squared Free
[2008/12/01 22:48:21 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Users\Yozaurious\Desktop\HiJackThis.exe
[2008/11/29 12:59:23 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\Desktop\EFT2.9.1
[2008/11/19 15:39:04 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2008/11/19 15:39:03 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll
[2008/11/19 15:39:03 | 01,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_33.dll
[2008/11/19 15:39:03 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_33.dll
[2008/11/19 15:39:03 | 00,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_7.dll
[2008/11/19 15:39:03 | 00,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_1.dll
[2008/11/19 13:54:35 | 00,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll
[2008/11/19 13:54:34 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_30.dll
[2008/11/19 13:54:34 | 00,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll
[2008/11/19 13:54:34 | 00,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll
[2008/11/19 13:54:32 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\THQ
[2008/11/18 08:03:07 | 00,561,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2008/11/18 08:03:07 | 00,083,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2008/11/18 08:03:07 | 00,034,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2008/11/18 08:03:05 | 00,162,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2008/11/18 08:03:05 | 00,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2008/11/16 15:10:30 | 00,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs
[2008/11/13 14:06:03 | 01,191,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml3.dll
[2008/11/13 14:06:02 | 01,334,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml6.dll
[2008/11/10 15:10:32 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2008/11/08 23:22:38 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\Documents\Red Alert 3
[2008/11/08 23:05:55 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\AppData\Roaming\Red Alert 3
[2008/11/08 23:01:52 | 00,006,372 | ---- | C] () -- C:\Windows\System32\ealregsnapshot1.reg
[2008/11/08 23:01:49 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\AppData\Local\Downloaded Installations
[2008/11/08 22:45:27 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_38.dll
[2008/11/08 22:45:27 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_38.dll
[2008/11/08 22:45:25 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_38.dll
[2008/11/08 22:45:24 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2008/11/08 22:45:24 | 01,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_35.dll
[2008/11/08 22:45:24 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_35.dll
[2008/10/30 01:24:22 | 00,042,320 | ---- | C] () -- C:\Windows\System32\xfcodec.dll
[2008/10/28 23:50:05 | 00,443,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32spl.dll
[2008/10/25 22:13:36 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\AppData\Local\Electronic Arts
[2008/10/25 21:40:04 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\Documents\Electronic Arts
[2008/10/25 21:40:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2008/10/25 12:15:47 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Apple
[2008/10/24 07:05:44 | 00,466,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netapi32.dll
[2008/10/16 14:19:47 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2008/10/16 06:51:21 | 06,068,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2008/10/16 06:51:21 | 03,578,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2008/10/16 06:51:20 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2008/10/16 06:51:19 | 00,827,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2008/10/16 06:51:19 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2008/10/16 06:51:19 | 00,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2008/10/16 06:51:18 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2008/10/16 06:51:17 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2008/10/07 13:33:00 | 00,201,157 | ---- | C] () -- C:\Windows\System32\nvapps.xml
[2008/10/05 20:38:55 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe AIR
[2008/10/05 20:37:34 | 00,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2008/10/05 20:37:33 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2008/10/05 20:37:33 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2008/10/05 20:32:56 | 00,000,000 | ---D | C] -- C:\Users\Yozaurious\AppData\Local\Adobe

========== Files - Modified Within 60 Days ==========

[1 C:\Windows\*.tmp files]
[2008/12/01 23:50:00 | 00,000,486 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0B1B65CE-D0A5-4DFD-A50E-08E9F4D62DD6}.job
[2008/12/01 23:09:54 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Users\Yozaurious\Desktop\OTViewIt.exe
[2008/12/01 22:47:55 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Users\Yozaurious\Desktop\HiJackThis.exe
[2008/12/01 21:55:40 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2008/12/01 21:55:37 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2008/12/01 21:55:33 | 21,465,57952 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/01 13:53:16 | 02,986,130 | -H-- | M] () -- C:\Users\Yozaurious\AppData\Local\IconCache.db
[2008/11/26 23:28:19 | 00,075,776 | ---- | M] () -- C:\Users\Yozaurious\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/15 19:34:15 | 23,419,9760 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2008/11/15 00:50:58 | 00,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2008/11/08 23:01:52 | 00,006,372 | ---- | M] () -- C:\Windows\System32\ealregsnapshot1.reg
[2008/10/30 01:24:22 | 00,042,320 | ---- | M] () -- C:\Windows\System32\xfcodec.dll
[2008/10/16 21:12:19 | 00,561,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2008/10/16 21:08:57 | 00,034,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2008/10/16 20:55:59 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2008/10/16 14:08:00 | 00,162,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2008/10/16 13:56:04 | 00,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2008/10/16 04:47:33 | 00,466,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netapi32.dll
[2008/10/07 13:33:00 | 00,201,157 | ---- | M] () -- C:\Windows\System32\nvapps.xml
< End of report >

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Belahzur on 1st December 2008, 11:56 pm

Hello.
Log looks clean, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Yozaurious on 1st December 2008, 11:59 pm

My bank gave me a ring notifying me that I have a virus, boot system "sinowal" on my computer. I did a full AVG scan but did not find it. What is the best boot system scan available? Also, if it is a boot system virus, does it operate on all OSs on the HD or just one? The log given is from Vista 64 partition, I use an XP one as well for work. Should I scan that one?

Thanks,

Yozaurious

Yozaurious
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-01
OS OS : Vista SP1 (x64) / XP SP2 (x32)
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Belahzur on 2nd December 2008, 12:09 am

Hello, I have some bad news for you.
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Belahzur on 2nd December 2008, 12:25 am

This might find it.

Download [You must be registered and logged in to see this link.] to your desktop.
Double click on the MBR.exe file to run it. A log will be produced, MBR.log.
Copy and paste it back here.

Yes, a full format would get rid of it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal (Boot sector virus), Help request

Post by Doctor Inferno on 11th December 2008, 9:04 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum