Sinowal Trojan

View previous topic View next topic Go down

Solved Sinowal Trojan

Post by brian6464 on 6th December 2008, 7:25 pm

I have the Sinowal Trojan virus and cannot get rid of it with Norton, Malwarebytes, Adaware, Spy Doctor etc. Whenever I try to access the internet, an "Insecure Internet Activity: Threat of Virus Attack" message comes up and asks me to protect my pc by following a link. I am guessing this is a spoof site that will try to solicit my financial info.

Please help me get rid of this. THANKS!

Here is my HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:42 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O1 - Hosts: HP9B7EFC HP001A4B9B7EFC
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12104 bytes

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 7:28 pm

Log looks clean, but this is causing the problem.
Delete this file in bold:
C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Uninstall_List file

Post by brian6464 on 6th December 2008, 7:29 pm

Here is the results of the uninstall_list file

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album Starter Edition
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Bodog Poker Version 2.16.1.52
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Compaq Connections
Compaq Instant Support
Compaq Organize
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Enhanced Multimedia Keyboard Solution
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HP Update
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 7
KODAK Picture Software
KODAK Picture Transfer Software
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition
Microsoft Plus! for Windows XP
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
Nero Suite
Norton AntiVirus
NVIDIA GART Driver
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Picasa 2
PIXresizer 2.0.0
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
Qwest eChat Support Tools
Qwest QuickCare 2.0
RealPlayer
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shop for HP Supplies
Sonic Update Manager
Spyware Doctor 6.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Where to delete file?

Post by brian6464 on 6th December 2008, 7:39 pm

Sorry for the really stupid question, but where do I delete this from? I do not see it in the HJT Scan & Fix pane. Are yoiu suggesting just delete it from my computer from explorer and then follow the rest of your instructions? Thanks!

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 7:40 pm

Hello.
Yes, use Windows Explorer, find the file, then delete it.

If you can't delete it, miss it and run combofix, we'll use that to kill it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved How do I unhide my file directory strucutre?

Post by brian6464 on 6th December 2008, 7:49 pm

I cannot find the sub folder Application Data when looking for the path C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe

It goes C:\Documents and Settings\Owner\....and there is no folder for application data?

Is it hidden? If so, how do I unhide it?

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 7:57 pm

Hello. Yes, it is hidden.


    To Unhide Files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.

    Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Show hidden files and folders" option.
  • Hit the "Apply To All Folders" option.
  • Click Yes to confirm. Click OK.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 8:01 pm

I was not allowed to delete the file, so I will try to run combofix now.

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 8:02 pm

Suspected so.
Combofix will get rid of it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 8:09 pm

ok...another problem...when I try to download combofix, it get to the point of running it and it shuts down my IE and gives me an error:

'You cannot rename ComboFix as ComboFix(1)

Please use another name, preferable made up of alphanumeric characters'

What now?

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 8:10 pm

Hello.
Is that from the bottom pair of links because the top links didn't work?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 8:11 pm

Both from the top...link 1 & link 2.

I take it I should try the bottom?

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 8:15 pm

No, they are old links.
Do this instead.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 8:27 pm

in progress....reboot is taking awhile

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 8:34 pm

Is it normal for the reboot to take along time after running avenger? Been sitting at the XP screen for ~10 minutes now.

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 8:40 pm

No, that's not normal, it should have opened as soon as it come back from reboot.

See if the log has already been made.
C:\avenger.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Avenger logfile

Post by brian6464 on 6th December 2008, 8:56 pm

I had to hard reboot my system and then the logfile did come up. My pc is running real slow right now, but it did make it to the internet without the spoof site coming up this time. Anything else I need to do?

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 9:04 pm

Now that file is gone, please download combofix again and lets see what happens this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 9:11 pm

Combofix is still a no go....

error this time...

You cannot rename ComboFix as ComboFix(2)
Please use another name, preferably made up of alphanumeric characters

Would I be able to download this on my laptop, save to flash drive and then run it on my desktop (the problem pc) from the flash drive?

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 9:12 pm

Hmm, maybe.
You can try that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 10:06 pm

ComboFix to flash drive and then my desktop worked

Following are the results of the scan from the logfile....does everything look good?

ComboFix 08-12-06.03 - Owner 2008-12-06 15:24:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.146 [GMT -6:00]
Running from: G:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\TDSSttfnhtpx.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 01:18 . 2008-12-06 01:18 d-------- c:\program files\Common Files\xing shared
2008-12-06 00:56 . 2008-12-06 00:56 d-------- c:\program files\Lavasoft
2008-12-06 00:56 . 2008-12-06 01:00 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 00:54 . 2008-12-06 00:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 00:46 . 2008-12-06 00:46 d-------- c:\program files\Trend Micro
2008-12-06 00:04 . 2008-12-06 00:54 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-06 00:04 . 2008-12-06 00:54 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-06 00:04 . 2008-12-06 00:54 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-06 00:04 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-06 00:03 . 2008-12-06 15:34 d-------- c:\program files\Spyware Doctor
2008-12-06 00:03 . 2008-12-06 00:03 d-------- c:\documents and settings\Owner\Application Data\PC Tools
2008-12-05 23:59 . 2008-12-06 01:00 d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-05 23:09 . 2008-12-06 15:46 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 18:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 18:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 13:13 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 13:12 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 14:47 . 2002-08-29 13:00 180,770 --a--c--- c:\windows\system32\dllcache\c_20932.nls
2008-11-08 14:46 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-08 14:46 . 2008-04-13 19:09 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-08 14:46 . 2008-04-13 19:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-08 14:46 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-08 14:46 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:18 --------- d-----w c:\program files\Common Files\Real
2008-12-06 07:13 --------- d-----w c:\program files\Google
2008-12-06 07:07 --------- d-----w c:\program files\Picasa2
2008-11-10 05:39 --------- d-----w c:\program files\Bodog Poker
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-10 16:02 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-09 04:44 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-09 04:44 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-09 04:44 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-09 04:44 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-09 04:44 --------- d-----w c:\program files\Symantec
2008-10-09 04:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-09 04:43 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-10-09 04:43 --------- d-----w c:\program files\Windows Sidebar
2008-10-09 04:43 --------- d-----w c:\program files\Norton AntiVirus
2008-10-09 04:40 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-09 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-09 04:12 --------- d-----w c:\program files\NortonInstaller
2008-10-09 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-09 03:02 37,472 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 00:19 --------- d-----w c:\program files\MSECache
2008-10-08 03:18 --------- d-----w c:\program files\iTunes
2008-10-08 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 03:17 --------- d-----w c:\program files\iPod
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-14 04:28 98,304 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\PluginCtrl.dll
2008-09-14 04:28 77,824 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\WinVerifyTrust.dll
2008-09-14 04:28 69,632 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\msxmlwrapper.dll
2008-09-14 04:28 49,152 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\hwinv.dll
2008-09-14 04:28 36,864 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\gnu.dll
2008-09-14 04:28 32,768 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\pchapi.dll
2008-09-14 04:28 315,392 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\pchmsxml.dll
2008-09-14 04:28 307,200 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\pchealthplugin.dll
2008-09-14 04:28 114,688 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\ZipLib.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved rest of logfile

Post by brian6464 on 6th December 2008, 10:07 pm

ComboFix 08-12-06.03 - Owner 2008-12-06 15:24:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.146 [GMT -6:00]
Running from: G:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\TDSSttfnhtpx.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 01:18 . 2008-12-06 01:18 d-------- c:\program files\Common Files\xing shared
2008-12-06 00:56 . 2008-12-06 00:56 d-------- c:\program files\Lavasoft
2008-12-06 00:56 . 2008-12-06 01:00 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 00:54 . 2008-12-06 00:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 00:46 . 2008-12-06 00:46 d-------- c:\program files\Trend Micro
2008-12-06 00:04 . 2008-12-06 00:54 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-06 00:04 . 2008-12-06 00:54 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-06 00:04 . 2008-12-06 00:54 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-06 00:04 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-06 00:03 . 2008-12-06 15:34 d-------- c:\program files\Spyware Doctor
2008-12-06 00:03 . 2008-12-06 00:03 d-------- c:\documents and settings\Owner\Application Data\PC Tools
2008-12-05 23:59 . 2008-12-06 01:00 d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-05 23:09 . 2008-12-06 15:46 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-05 18:32 . 2008-12-05 18:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 18:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 18:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 13:13 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 13:12 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 14:47 . 2002-08-29 13:00 180,770 --a--c--- c:\windows\system32\dllcache\c_20932.nls
2008-11-08 14:46 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-08 14:46 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-08 14:46 . 2008-04-13 19:09 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-08 14:46 . 2008-04-13 19:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-08 14:46 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-08 14:46 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-08 14:46 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:18 --------- d-----w c:\program files\Common Files\Real
2008-12-06 07:13 --------- d-----w c:\program files\Google
2008-12-06 07:07 --------- d-----w c:\program files\Picasa2
2008-11-10 05:39 --------- d-----w c:\program files\Bodog Poker
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-10 16:02 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-09 04:44 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-09 04:44 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-09 04:44 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-09 04:44 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-09 04:44 --------- d-----w c:\program files\Symantec
2008-10-09 04:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-09 04:43 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-10-09 04:43 --------- d-----w c:\program files\Windows Sidebar
2008-10-09 04:43 --------- d-----w c:\program files\Norton AntiVirus
2008-10-09 04:40 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-09 04:13 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-09 04:12 --------- d-----w c:\program files\NortonInstaller
2008-10-09 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-09 03:02 37,472 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 00:19 --------- d-----w c:\program files\MSECache
2008-10-08 03:18 --------- d-----w c:\program files\iTunes
2008-10-08 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 03:17 --------- d-----w c:\program files\iPod
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-14 04:28 98,304 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\PluginCtrl.dll
2008-09-14 04:28 77,824 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\WinVerifyTrust.dll
2008-09-14 04:28 69,632 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\msxmlwrapper.dll
2008-09-14 04:28 49,152 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\hwinv.dll
2008-09-14 04:28 36,864 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\gnu.dll
2008-09-14 04:28 32,768 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\pchapi.dll
2008-09-14 04:28 315,392 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\pchmsxml.dll
2008-09-14 04:28 307,200 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\pchealthplugin.dll
2008-09-14 04:28 114,688 ----a-w c:\windows\PCHealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARP4EN\plugin\bin\jsharpde\ZipLib.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 10:11 pm

Hello.
Please post the bottom half of the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 10:16 pm

The entire log was posted in my previous two posts...is it missing something?

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 10:18 pm

Hello.
Yes, it should go down to catchme rootkit scanner, take a look at the txt file yourself.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 10:25 pm

sorry......

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]
"NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 192512]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-06 1168264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-06 185896]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-09-28 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
KODAK Picture Transfer Software.lnk - c:\program files\Kodak\KODAK Picture Transfer Software\pts.exe [2006-09-27 1413120]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1001000.021\SYMEFA.SYS []
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1001000.021\BHDrvx86.sys [2008-11-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1001000.021\ccHPx86.sys [2008-11-10 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-03 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S2 mrtRate;mrtRate; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-vxdhm - c:\documents and settings\Owner\Application Data\Google\xtgoj6119471.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-Yapta Tracker - c:\program files\Yapta\YaptaClient.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\WMDownload.dll - O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\WMDL.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 15:44:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\HPZipm12.exe
c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZinw12.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
.
**************************************************************************
.
Completion time: 2008-12-06 16:01:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 22:01:04

Pre-Run: 72,289,890,304 bytes free
Post-Run: 83,851,366,400 bytes free

235 --- E O F --- 2008-11-12 03:11:49

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 10:26 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by brian6464 on 6th December 2008, 10:29 pm

Everything seems to be running fine now. Thanks for all your help!!

brian6464
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-06
OS OS : XP
Points Points : 29260
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on 6th December 2008, 10:33 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Doctor Inferno on 23rd December 2008, 3:28 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum