Sinowal Trojan

View previous topic View next topic Go down

Solved Sinowal Trojan

Post by jtrory on Sun Dec 07, 2008 2:22 am

Hi,

I inadvertently downloaded the Sinowal trojan and of course can't get rid of it myself. I've run Spybot S&D but it didn't clear it up; neither did Zonealarm antivirus. Here is my HJT log. Thanks for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:58 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\James\Application Data\Google\xtgoj6119471.exe
C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vxdhm] "C:\Documents and Settings\James\Application Data\Google\xtgoj6119471.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O4 - Global Startup: Spyder3Utility.lnk = C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

--
End of file - 7917 bytes

jtrory
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 29210
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on Sun Dec 07, 2008 2:28 am


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [vxdhm] "C:\Documents and Settings\James\Application Data\Google\xtgoj6119471.exe"


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file in bold:
C:\Documents and Settings\James\Application Data\Google\xtgoj6119471.exe



  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by jtrory on Mon Dec 08, 2008 12:13 am

ComboFix 08-12-06.06 - James 2008-12-07 19:08:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1490 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\Utilities\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 18:40 . 2008-12-07 18:40 d-------- c:\program files\FileZilla FTP Client
2008-12-06 21:10 . 2008-12-06 21:10 d-------- c:\program files\Trend Micro
2008-12-04 12:27 . 2008-12-04 12:27 1,521,189 --a------ C:\SmitfraudFix.zip
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 12:23 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 12:23 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 12:22 . 2008-12-04 12:22 2,539,400 --a------ C:\mbam-setup.exe
2008-12-03 10:05 . 2008-12-03 10:05 d-------- c:\windows\Logs
2008-12-03 10:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-12-03 10:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-12-03 10:05 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-12-03 10:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-12-03 10:05 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-12-03 10:05 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-12-03 10:05 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-12-03 09:52 . 2008-12-03 09:52 d-------- c:\program files\Activision
2008-12-03 09:49 . 2008-12-03 09:49 d--hs---- c:\windows\ftpcache
2008-11-25 10:48 . 2008-11-25 10:48 82 --a------ c:\windows\system32\RPRID.KEY
2008-11-25 10:45 . 2008-11-25 10:48 d-------- c:\program files\RescuePRO
2008-11-25 10:45 . 2008-11-25 10:44 286,720 --a------ c:\windows\iun507.exe
2008-11-24 12:59 . 2008-09-20 09:48 30,102,144 --a------ C:\biahh.exe
2008-11-24 12:36 . 2008-11-24 12:36 d-------- c:\program files\Ubisoft
2008-11-20 23:28 . 2008-11-22 22:18 d-------- c:\program files\Vietcong
2008-11-20 19:51 . 2003-07-06 13:07 372,736 --a------ c:\windows\system32\IJL_11.DLL
2008-11-20 19:51 . 2004-03-08 23:00 212,240 --a------ c:\windows\system32\RICHTX32.OCX
2008-11-19 21:04 . 2008-11-19 21:04 640,687 --a------ C:\IJS_PDU0101_NN_W32_U_WW.exe
2008-11-19 20:59 . 2008-11-19 20:59 d-------- c:\documents and settings\James\Application Data\Printer Info Cache
2008-11-19 20:59 . 2008-11-19 20:59 d-------- c:\documents and settings\James\Application Data\Image Zone Express
2008-11-19 20:57 . 2008-11-19 20:57 6,485,656 --a------ C:\HPPSE1.12.0.46ENU.exe
2008-11-09 17:34 . 2008-11-20 23:36 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-11-09 17:04 . 2008-11-09 17:04 d-------- c:\program files\2015

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 00:10 129,052,704 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-07 23:50 --------- d-----w c:\documents and settings\James\Application Data\FileZilla
2008-12-07 23:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-07 23:34 --------- d-----w c:\documents and settings\James\Application Data\WTablet
2008-12-07 14:37 1,706,624 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Bioshock
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Azureus
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Apple Computer
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\AdobeUM
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\acccore
2008-12-03 15:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 02:22 --------- d-----w c:\documents and settings\James\Application Data\U3
2008-11-24 17:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-24 17:40 --------- d-----w c:\program files\AGEIA Technologies
2008-11-24 14:40 --------- d-----w c:\program files\Azureus
2008-11-20 02:12 --------- d-----w c:\program files\HP
2008-11-14 04:38 2,684,928 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-14 04:38 2,019,840 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-09 22:33 --------- d-----w c:\program files\GameSpy Arcade
2008-10-12 22:14 651,841 ----a-w C:\DSCA100V104U.exe
2008-10-11 08:07 7,246,688 ----a-w C:\CoDWaW.exe
2008-09-11 18:29 7,963,944 ----a-w C:\WacomTablet_608-4a.exe
2008-09-08 20:56 10,614,406 ----a-w C:\Shozam_download.exe
2008-09-07 23:24 50,287,536 ----a-w C:\LTRM_WWEFG_win_1_3_1.exe
2007-11-18 02:24 22,328 ----a-w c:\documents and settings\James\Application Data\PnkBstrK.sys
2007-10-13 02:09 1,011 ----a-w c:\program files\Common Files\tempeml.html
2007-09-01 17:11 1 ----a-w c:\documents and settings\James\SI.bin
2006-05-31 13:14 108,056 ----a-w c:\program files\Common Files\secman.dll
2006-03-11 23:09 626,176 ----a-w c:\program files\Common Files\osmax.ocx
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-19 16:46:40 122,880 ----a-w c:\windows\system32\mseuntern.dll
+ 2007-11-03 23:35:21 122,880 ----a-w c:\windows\system32\mseuntern.dll
- 2007-02-15 16:38:38 9,843 ----a-w c:\windows\system32\mswbniore.dll
+ 2006-10-06 14:36:13 9,843 ----a-w c:\windows\system32\mswbniore.dll
- 2008-12-04 16:45:45 320,940 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-07 23:58:18 328,192 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-12-04 16:55:28 997,376 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-07 02:47:10 1,285,120 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"tirbe"="c:\program files\Xuskrmqurpho\zdayqx.exe" [2006-06-02 1736701]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-02-12 168120]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"tirbe"="c:\program files\Xuskrmqurpho\zdayqx.exe" [2006-06-02 1736701]
"nwiz"="nwiz.exe" [2007-08-17 c:\windows\system32\nwiz.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-29 5419008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-11 c:\windows\MIDIDEF.EXE]

c:\documents and settings\James\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-19 200704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-04-10 13696]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-05-14 48640]
R2 PMJ151NM;Panasonic DVC Web Camera;c:\windows\system32\DRIVERS\PMJ151NM.sys [2007-07-22 14848]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-09-11 3406120]
R3 Spyder3;Datacolor Spyder3;c:\windows\system32\DRIVERS\Spyder3.sys [2007-10-10 12288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-09-11 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2007-10-04 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2007-10-04 12848]
R3 WacomVKHid;Virtual Keyboard Driver;c:\windows\system32\DRIVERS\WacomVKHid.sys [2008-09-11 11440]
S3 MTDVC;Panasonic DVC USB-SERIAL Driver for NT Technology;c:\windows\system32\DRIVERS\mtdv2ku1.sys [2007-07-22 12590]
S3 MTDVC_ENUM;Panasonic DVC COM Driver for NT Technology;c:\windows\system32\DRIVERS\mtdv2ks1.sys [2007-07-22 11569]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae17584-e26e-11dc-bd23-00e04d08d6a7}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74de5fac-f120-11dc-bd3a-00e04d08d6a7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-06 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2006-06-19 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\09a86k0k.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 19:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\mseuntern.dll 122880 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PMJ151LA]
"ImagePath"="%SystemRoot%\PMJ151LA.BIN"
.
Completion time: 2008-12-07 19:11:15
ComboFix-quarantined-files.txt 2008-12-08 00:11:02
ComboFix2.txt 2008-12-04 17:08:57

Pre-Run: 34,623,492,096 bytes free
Post-Run: 34,614,001,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

219

jtrory
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 29210
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on Mon Dec 08, 2008 12:18 am

Now open a new notepad file.
Input this into the notepad file:

File::
C:\SmitfraudFix.zip
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\system32\mseuntern.dll

Folder::
c:\program files\Xuskrmqurpho

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tirbe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tirbe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74de5fac-f120-11dc-bd3a-00e04d08d6a7}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by jtrory on Mon Dec 08, 2008 4:17 am

ComboFix 08-12-06.06 - James 2008-12-07 23:10:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1600 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\Utilities\ComboFix.exe
Command switches used :: c:\documents and settings\James\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\SmitfraudFix.zip
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\system32\mseuntern.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Xuskrmqurpho
c:\program files\Xuskrmqurpho\Log\Text\aiotxt.dat
c:\program files\Xuskrmqurpho\Log\Text\aioweb.dat
c:\program files\Xuskrmqurpho\Log\Visual\11202008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11212008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11222008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11232008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11242008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11252008.dat
c:\program files\Xuskrmqurpho\Log\Visual\11262008.dat
c:\program files\Xuskrmqurpho\unins000.dat
c:\program files\Xuskrmqurpho\unins000.exe
c:\program files\Xuskrmqurpho\zdayqx.exe
C:\SmitfraudFix.zip
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\system32\mseuntern.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 18:40 . 2008-12-07 18:40 d-------- c:\program files\FileZilla FTP Client
2008-12-06 21:10 . 2008-12-06 21:10 d-------- c:\program files\Trend Micro
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-12-04 12:23 . 2008-12-04 12:23 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 12:23 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 12:23 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 12:22 . 2008-12-04 12:22 2,539,400 --a------ C:\mbam-setup.exe
2008-12-03 10:05 . 2008-12-03 10:05 d-------- c:\windows\Logs
2008-12-03 10:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-12-03 10:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-12-03 10:05 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-12-03 10:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-12-03 10:05 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-12-03 10:05 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-12-03 10:05 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-12-03 09:52 . 2008-12-03 09:52 d-------- c:\program files\Activision
2008-12-03 09:49 . 2008-12-03 09:49 d--hs---- c:\windows\ftpcache
2008-11-25 10:48 . 2008-11-25 10:48 82 --a------ c:\windows\system32\RPRID.KEY
2008-11-25 10:45 . 2008-11-25 10:48 d-------- c:\program files\RescuePRO
2008-11-25 10:45 . 2008-11-25 10:44 286,720 --a------ c:\windows\iun507.exe
2008-11-24 12:59 . 2008-09-20 09:48 30,102,144 --a------ C:\biahh.exe
2008-11-24 12:36 . 2008-11-24 12:36 d-------- c:\program files\Ubisoft
2008-11-20 23:28 . 2008-11-22 22:18 d-------- c:\program files\Vietcong
2008-11-20 19:51 . 2003-07-06 13:07 372,736 --a------ c:\windows\system32\IJL_11.DLL
2008-11-20 19:51 . 2004-03-08 23:00 212,240 --a------ c:\windows\system32\RICHTX32.OCX
2008-11-19 21:04 . 2008-11-19 21:04 640,687 --a------ C:\IJS_PDU0101_NN_W32_U_WW.exe
2008-11-19 20:59 . 2008-11-19 20:59 d-------- c:\documents and settings\James\Application Data\Printer Info Cache
2008-11-19 20:59 . 2008-11-19 20:59 d-------- c:\documents and settings\James\Application Data\Image Zone Express
2008-11-19 20:57 . 2008-11-19 20:57 6,485,656 --a------ C:\HPPSE1.12.0.46ENU.exe
2008-11-09 17:34 . 2008-11-20 23:36 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-11-09 17:04 . 2008-11-09 17:04 d-------- c:\program files\2015

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 04:14 133,507,616 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-08 04:03 --------- d-----w c:\documents and settings\James\Application Data\WTablet
2008-12-08 04:02 1,782,584 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-07 23:50 --------- d-----w c:\documents and settings\James\Application Data\FileZilla
2008-12-07 23:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Bioshock
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Azureus
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\Apple Computer
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\AdobeUM
2008-12-04 15:33 --------- d-----w c:\documents and settings\James\Application Data\acccore
2008-12-03 15:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 02:22 --------- d-----w c:\documents and settings\James\Application Data\U3
2008-11-24 17:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-24 17:40 --------- d-----w c:\program files\AGEIA Technologies
2008-11-24 14:40 --------- d-----w c:\program files\Azureus
2008-11-20 02:12 --------- d-----w c:\program files\HP
2008-11-09 22:33 --------- d-----w c:\program files\GameSpy Arcade
2008-10-12 22:14 651,841 ----a-w C:\DSCA100V104U.exe
2008-10-11 08:07 7,246,688 ----a-w C:\CoDWaW.exe
2008-09-11 18:29 7,963,944 ----a-w C:\WacomTablet_608-4a.exe
2008-09-08 20:56 10,614,406 ----a-w C:\Shozam_download.exe
2007-11-18 02:24 22,328 ----a-w c:\documents and settings\James\Application Data\PnkBstrK.sys
2007-10-13 02:09 1,011 ----a-w c:\program files\Common Files\tempeml.html
2007-09-01 17:11 1 ----a-w c:\documents and settings\James\SI.bin
2006-05-31 13:14 108,056 ----a-w c:\program files\Common Files\secman.dll
2006-03-11 23:09 626,176 ----a-w c:\program files\Common Files\osmax.ocx
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-02-15 16:38:38 9,843 ----a-w c:\windows\system32\mswbniore.dll
+ 2006-10-06 14:36:13 9,843 ----a-w c:\windows\system32\mswbniore.dll
- 2008-12-04 16:45:45 320,940 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-08 04:04:36 328,332 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-12-04 16:55:28 997,376 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-07 02:47:10 1,285,120 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-02-12 168120]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"nwiz"="nwiz.exe" [2007-08-17 c:\windows\system32\nwiz.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-29 5419008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-11 c:\windows\MIDIDEF.EXE]

c:\documents and settings\James\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-19 200704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-04-10 13696]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-05-14 48640]
R2 PMJ151NM;Panasonic DVC Web Camera;c:\windows\system32\DRIVERS\PMJ151NM.sys [2007-07-22 14848]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-09-11 3406120]
R3 Spyder3;Datacolor Spyder3;c:\windows\system32\DRIVERS\Spyder3.sys [2007-10-10 12288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-09-11 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2007-10-04 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2007-10-04 12848]
R3 WacomVKHid;Virtual Keyboard Driver;c:\windows\system32\DRIVERS\WacomVKHid.sys [2008-09-11 11440]
S3 MTDVC;Panasonic DVC USB-SERIAL Driver for NT Technology;c:\windows\system32\DRIVERS\mtdv2ku1.sys [2007-07-22 12590]
S3 MTDVC_ENUM;Panasonic DVC COM Driver for NT Technology;c:\windows\system32\DRIVERS\mtdv2ks1.sys [2007-07-22 11569]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae17584-e26e-11dc-bd23-00e04d08d6a7}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-06 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2006-06-19 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\09a86k0k.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 23:14:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PMJ151LA]
"ImagePath"="%SystemRoot%\PMJ151LA.BIN"
.
Completion time: 2008-12-07 23:15:27
ComboFix-quarantined-files.txt 2008-12-08 04:15:13
ComboFix2.txt 2008-12-08 00:11:17
ComboFix3.txt 2008-12-04 17:08:57

Pre-Run: 34,562,592,768 bytes free
Post-Run: 34,542,444,544 bytes free

201

jtrory
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 29210
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on Mon Dec 08, 2008 1:36 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by jtrory on Mon Dec 08, 2008 11:19 pm

That seems to be it. Windows Firewall has stopped telling me my trojan is trying to access my computer. Wow, so simple too. Thanks so much for the help! I really appreciate it.

jtrory
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 29210
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Belahzur on Mon Dec 08, 2008 11:21 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by jtrory on Wed Dec 10, 2008 5:31 pm

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Dec 10 12:29:03 2008

Found and removed: C:\Program Files\Java\jre1.6.0_01

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610001

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610001

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610001

Found and removed: SOFTWARE\Classes\JavaPlugin.160_01

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_01

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_01

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610001

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610001

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610001

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160010}

Found and removed: Software\Classes\JavaPlugin.160_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_01.b06\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_01

Found and removed: Software\JavaSoft\Java2D\1.6.0_01

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

jtrory
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-07
Gender Gender : Male
OS OS : Win XP SP3
Points Points : 29210
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Sinowal Trojan

Post by Doctor Inferno on Thu Jan 15, 2009 8:12 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum