Sinowal/Torpig Trojan? - global startup uninstall.exe

View previous topic View next topic Go down

Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 5th April 2009, 6:12 pm

I have a Dell Inspiron 510m with WinXP SP2. I was notified by my ISP that malware was sent from my account. They identified the malware as the Torpig trojan. I ran various antivirus programs, which did not find anything. Gmer.exe occasionally seems to detect an mbr rootkit, but not always. I also ran ComboFix and SDFix, apparently to no avail.

I then noticed an unusual entry in the HijackThis log (see below) according to which the program "uninstall.exe" was part of the global startup routine. I then uploaded that file to an online virus checker, and the answer was that this file belongs to the Sinowal virus. More specifically:
- AntiVir --> TR/Drop.Agen.479232
- a-squared --> Backdoor.Sinowal!IK
- Avast --> Win32:Sinowal-FV
- AVG --> PSW.Sinowal.S
- F-Secure --> Trojan-Dropper:W32/Agent.JXG
- Kaspersky --> Trojan-Dropper.Win32.Agent.alpy
- Sophos --> Mal/Sinowa-A


I cannot delete the file "uninstall.exe" manually, as Explorer tells me it is used by another process. When I once managed to delete it, it respawned immediately. It is located in c:\Documents and Settings\All Users\Start Menu\Programs\Startup

Here is the HijackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:30:57 PM, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: uninstall.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 2896 bytes

Here is the Avira AntiRootkit Tool Log:

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Sunday, April 05, 2009 - 19:22:14 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 52.32 GB
- Working disk free size : 7.00 GB (13 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden key : HKEY_USERS\S-1-5-21-2252461919-2144099647-1908636944-1006\Software\Microsoft\Protected Storage System Provider\S-1-5-21-2252461919-2144099647-1908636944-1006\data
Hidden key : HKEY_USERS\S-1-5-21-2252461919-2144099647-1908636944-1006\Software\Microsoft\Protected Storage System Provider\S-1-5-21-2252461919-2144099647-1908636944-1006\data 2
Hidden value : HKEY_USERS\S-1-5-21-2252461919-2144099647-1908636944-1006\Software\Microsoft\Protected Storage System Provider\S-1-5-21-2252461919-2144099647-1908636944-1006 -> migrate

--------------------------------------------------------------------------------------------------------
Files: 0/63111
Registry items: 3/229367
Processes: 0/26
Scan time: 00:04:29
--------------------------------------------------------------------------------------------------------
Active processes:
- pnahmbay.exe (PID 152) (Avira AntiRootkit Tool - Beta)
- Acrobat.exe (PID 580)
- System (PID 4)
- SMSS.EXE (PID 564)
- CSRSS.EXE (PID 620)
- WINLOGON.EXE (PID 644)
- SERVICES.EXE (PID 692)
- LSASS.EXE (PID 712)
- SVCHOST.EXE (PID 940)
- SVCHOST.EXE (PID 1036)
- SVCHOST.EXE (PID 1088)
- SVCHOST.EXE (PID 1172)
- Agent.exe (PID 1204)
- EXPLORER.EXE (PID 1340)
- SPOOLSV.EXE (PID 1444)
- WLTRYSVC.EXE (PID 1712)
- BCMWLTRY.EXE (PID 1728)
- ALG.EXE (PID 1952)
- hkcmd.exe (PID 900)
- Apoint.exe (PID 1168)
- quickset.exe (PID 1832)
- DVDLauncher.exe (PID 1192)
- tfswctrl.exe (PID 832)
- CTFMON.EXE (PID 320)
- ApntEx.exe (PID 440)
- avirarkd.exe (PID 1528)
========================================================================================================
- Scan finished Sunday, April 05, 2009 - 19:26:44 PM
========================================================================================================

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 5th April 2009, 6:18 pm

Hello.

You are running an old version of Hijack This, and we need to use the new version before we can do anything else.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - Global Startup: uninstall.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download [You must be registered and logged in to see this link.] to your desktop.
Double click on the MBR.exe to run it. A log will be produced, named MBR.log.
Please open this log in Notepad and post it's contents in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 5th April 2009, 8:53 pm

Thank you for your quick reply. I installed the current version of HijackThis.

When I check the box next to "O4 - Global Startup:uninstall.exe" and press "Fix Checked", HijackThis seemingly deletes the entry, but it resurrects when I scan anew.

Here is the current HijackThis Logfile (after trying to delete/remove the global startup entry):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:33 PM, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: uninstall.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 2712 bytes

Here is the mbr.exe logfile (mbr.log):

Stealth MBR rootkit detector 0.2.4 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 5th April 2009, 8:57 pm

Hello.
Something is regenrating it. We have to find out what. Before we do this though, I have to prepare you for the worst.

Sinowal is known to spawn the MBR rootkit you talked about, but also infected legit files. This cannot be fixed and your only way out is formatting. This next scanner will show modified files, and if legit files are found, then you have the file infector variant of Sinowal.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 6th April 2009, 5:47 am

Here is the DDS.txt you requested:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kevin at 7:37:31.24 on Mon 04/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.780 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: Send To &Bluetooth - c:\program files\dell\bluetooth software\btsendto_ie_ctx.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\7kqbf8yx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\adobe\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\realalternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\realalternative\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-8-14 22136]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-28 29744]
S3 mbr;mbr;\??\c:\docume~1\kevin\locals~1\temp\mbr.sys --> c:\docume~1\cyrill\locals~1\temp\mbr.sys [?]
S3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2006-5-20 45920]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-6-7 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-6-7 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-6-7 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-6-7 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-6-7 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-6-7 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-6-7 90800]

=============== Created Last 30 ================

2009-04-05 18:47 577,024 a------- c:\windows\system32\dllcache\user32.dll
2009-04-05 18:45 --d----- c:\windows\ERUNT
2009-04-05 18:39 --d----- C:\SDFix
2009-04-02 22:39 713,216 -------- c:\windows\system32\dllcache\sxs.dll
2009-04-02 22:33 --d-h--- c:\windows\$hf_mig$
2009-04-02 22:33 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2009-03-31 21:09 --dshr-- C:\cmdcons
2009-03-31 21:09 --d----- c:\windows\setup.pss
2009-03-31 09:32 161,792 a------- c:\windows\SWREG.exe
2009-03-31 09:32 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================


============= FINISH: 7:37:48.13 ===============

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 6th April 2009, 1:06 pm

Hello.
When you ran Combofix, can you post me that log it made?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 7th April 2009, 9:10 pm

ComboFix 09-03-29.02 - Kevin 2009-03-31 9:33:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.758 [GMT 2:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2027-09-26 20:39 . 2027-06-13 22:09 88 --a------ c:\windows\SYSTEM32\bs.bin
2027-09-26 20:37 . 2027-09-26 20:37 d-------- C:\Programme
2009-02-10 10:56 . 2009-02-10 10:56 d-------- c:\documents and settings\All Users\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 06:32 --------- d-----w c:\program files\Firefox
2009-03-29 12:21 --------- d-----w c:\program files\Ad-Aware
2009-03-23 22:22 --------- d-----w c:\documents and settings\Kevin\Application Data\Juniper Networks
2009-03-22 10:46 --------- d-----w c:\program files\PaintShopPro
2009-01-28 21:33 --------- d-----w c:\documents and settings\Kevin\Application Data\Canon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-21 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-09-25 503808]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-25 495616]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-28 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVDRegionFree\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\CSVirtA.sys [2007-08-14 22136]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-28 29744]
S3 PhTVTune;Cap7134 TVTuner;c:\windows\SYSTEM32\DRIVERS\PhTVTune.sys [2006-05-20 45920]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-pdfSaver3 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = about:blank
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\7kqbf8yx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Adobe\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-31 09:37:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\SSL VPN Client\Agent.exe
c:\program files\Dell\Bluetooth Software\bin\btwdins.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\program files\Apoint\ApntEx.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-03-31 9:39:22 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2009-03-31 07:39:17

Pre-Run: 3,850,403,840 bytes free
Post-Run: 4,003,328,000 bytes free

110

Here is also the content of the file ComboFix-quarantined-files.txt:

2009-03-31 09:01:08 A------- 232 C:\Qoobox\Quarantine\catchme.log
2009-03-31 09:34:55 A------- 12,246 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-03-31 09:38:36 A------- 97 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-pdfSaver3.reg.dat

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 7th April 2009, 9:15 pm

Hello.
No problems in CF. Delete your copy of Combofix.

We'll use Combofix again soon, but first install an AV - that is priority.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avira)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 8th April 2009, 8:30 am

Note that I had Antivir installed when the infection must have occurred (but Antivir did not catch it at that time). I only uninstalled it to run ComboFix.

When I now reinstalled a new copy of Antivir, it told me that master boot sector HD1 contains code of the boot sector virus BOO/Sinowal.A, but then warned me that the boot sector could not be repaired.

Here is the new ComboFix logfile:

ComboFix 09-04-04.01 - Kevin 2009-04-08 10:17:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.743 [GMT 2:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2027-09-26 20:39 . 2027-06-13 22:09 88 --a------ c:\windows\SYSTEM32\bs.bin
2027-09-26 20:37 . 2027-09-26 20:37 d-------- C:\Programme
2009-04-08 10:05 . 2009-04-08 10:05 d-------- c:\windows\LastGood
2009-04-08 10:05 . 2009-04-08 10:05 d-------- c:\program files\Avira
2009-04-08 10:05 . 2009-04-08 10:05 d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-08 10:05 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys
2009-04-05 18:47 . 2009-04-05 18:47 577,024 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-04-05 18:45 . 2009-04-05 18:45 d-------- c:\windows\ERUNT
2009-04-05 18:39 . 2009-04-05 19:11 d-------- C:\SDFix
2009-04-02 22:39 . 2008-10-23 15:06 713,216 --------- c:\windows\SYSTEM32\DLLCACHE\sxs.dll
2009-04-02 22:33 . 2009-04-02 22:39 d--h----- c:\windows\$hf_mig$
2009-04-02 22:33 . 2008-10-15 18:57 332,800 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 21:51 --------- d-----w c:\program files\Firefox
2009-04-05 19:46 --------- d-----w c:\program files\PaintShopPro
2009-04-05 19:46 --------- d-----w c:\documents and settings\Kevin\Application Data\Canon
2009-04-05 17:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 08:51 --------- d-----w c:\program files\Synapsen
2009-03-29 12:21 --------- d-----w c:\program files\Ad-Aware
2009-03-23 22:22 --------- d-----w c:\documents and settings\Kevin\Application Data\Juniper Networks
2009-02-10 08:56 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-21 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-09-25 503808]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-25 495616]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-28 29744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
uninstall.exe [2009-04-08 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-08 108289]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\CSVirtA.sys [2007-08-14 22136]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-28 29744]
S3 PhTVTune;Cap7134 TVTuner;c:\windows\SYSTEM32\DRIVERS\PhTVTune.sys [2006-05-20 45920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\7kqbf8yx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Adobe\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-08 10:18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-04-08 10:19:36
ComboFix-quarantined-files.txt 2009-04-08 08:19:26
ComboFix.txt 2009-04-08 08:14:54

Pre-Run: 7,356,583,936 bytes free
Post-Run: 7,343,542,272 bytes free

110

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 8th April 2009, 1:08 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\documents and settings\All Users\Start Menu\Programs\Startup\uninstall.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 8th April 2009, 6:30 pm

I am posting the new ComboFix log below. I should note that when ComboFix displayed its log, Antivir popped up with a message that the "uninstall.exe" file in the startuup menu was the trojan TR/Trash.Gen. Although Antivir managed to delete it, it respawned within seconds, this time with 0 KB rather than 412 KB file size, and Antivir no longer recognized it.

Here is the ComboFix logfile:

ComboFix 09-04-04.01 - Kevin 2009-04-08 19:51:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.728 [GMT 2:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Start Menu\Programs\Startup\uninstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2027-09-26 20:39 . 2027-06-13 22:09 88 --a------ c:\windows\SYSTEM32\bs.bin
2027-09-26 20:37 . 2027-09-26 20:37 d-------- C:\Programme
2009-04-08 10:05 . 2009-04-08 10:05 d-------- c:\program files\Avira
2009-04-08 10:05 . 2009-04-08 10:05 d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-08 10:05 . 2009-02-13 11:31 55,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgntflt.sys
2009-04-05 18:47 . 2009-04-05 18:47 577,024 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-04-05 18:45 . 2009-04-05 18:45 d-------- c:\windows\ERUNT
2009-04-05 18:39 . 2009-04-05 19:11 d-------- C:\SDFix
2009-04-02 22:39 . 2008-10-23 15:06 713,216 --------- c:\windows\SYSTEM32\DLLCACHE\sxs.dll
2009-04-02 22:33 . 2009-04-02 22:39 d--h----- c:\windows\$hf_mig$
2009-04-02 22:33 . 2008-10-15 18:57 332,800 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 21:51 --------- d-----w c:\program files\Firefox
2009-04-05 19:46 --------- d-----w c:\program files\PaintShopPro
2009-04-05 19:46 --------- d-----w c:\documents and settings\Kevin\Application Data\Canon
2009-04-05 17:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 08:51 --------- d-----w c:\program files\Synapsen
2009-03-29 12:21 --------- d-----w c:\program files\Ad-Aware
2009-03-23 22:22 --------- d-----w c:\documents and settings\Kevin\Application Data\Juniper Networks
2009-02-10 08:56 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-21 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-09-25 503808]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-25 495616]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-28 29744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
uninstall.exe [2009-04-08 421888]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-08 108289]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\CSVirtA.sys [2007-08-14 22136]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-28 29744]
S3 PhTVTune;Cap7134 TVTuner;c:\windows\SYSTEM32\DRIVERS\PhTVTune.sys [2006-05-20 45920]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\7kqbf8yx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Adobe\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\RealAlternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-08 19:55:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\SSL VPN Client\Agent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\program files\Apoint\ApntEx.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-04-08 19:57:54 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2009-04-08 17:57:49

Pre-Run: 7,334,064,128 bytes free
Post-Run: 7,321,387,008 bytes free

124

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 8th April 2009, 7:02 pm

Darn it. We have to go even deeper.


  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.


Please visit this website.
[You must be registered and logged in to see this link.]

On that website, press the browse button and locate this file in bold:
c:\windows\SYSTEM32\DLLCACHE\user32.dll

Select that file to be uploaded.
Copy and paste the result back here.

After that, please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
If the log is huge, please upload it to mediafire.com for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 9th April 2009, 12:34 am

Here is the Jotti report on user32.dll:

File: user32.dll
Status: OK (Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: c72661f8552ace7c5c85e16a3cf505c4

Scan taken on 09 Apr 2009 00:26:21 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Here is the GMER.exe logfile:

GMER 1.0.15.14966 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-09 02:21:30
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT F7D240CE ZwCreateKey
SSDT F7D240C4 ZwCreateThread
SSDT F7D240D3 ZwDeleteKey
SSDT F7D240DD ZwDeleteValueKey
SSDT F7D240E2 ZwLoadKey
SSDT F7D240B0 ZwOpenProcess
SSDT F7D240B5 ZwOpenThread
SSDT F7D240EC ZwReplaceKey
SSDT F7D240E7 ZwRestoreKey
SSDT F7D240D8 ZwSetValueKey
SSDT F7D240BF ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 869235A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 869235A0
Device \Driver\atapi \Device\Ide\IdePort1 869235A0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 869235A0

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:512] 8698BB50
Thread System [4:516] 8695ABA0
Thread System [4:524] 869A8DC0
Thread System [4:600] 8696A0E0

---- EOF - GMER 1.0.15 ----

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 9th April 2009, 12:51 am

Darn it again. Drat, drat, drat.

I'm thinking now is a good time for a format because Sinowal is a file infector, and any one of your legit could be patched that CF won't show, this is because malware does a lot of damage and uses the damage to cover up what it has done so we can't see it.

If this wasn't Sinowal, I wouldn't stop looking for a reason, but due to what Sinowal can do and has already done, I'm trying to put a stop to this before it spreads to anyone else.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).


Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 9th April 2009, 7:24 am

OK, I see I will have to format the drive and reinstall the OS. The only concern I have in this context is that I have a Dell with its proprietary MBR and three partitions on the drive that do not do me any good. If I format and reinstall, I want to get rid of that all and completely clean the drive.

How can I best do that before I reinstall the OS (I know how to reinstall it, but I am not sure how to best prepare the Dell harddrive for doing that, so that I get a clean new non-proprietary MBR and a clean drive without pre-installed partitions)?

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 9th April 2009, 1:11 pm

When you format, you'll be able to see all 3 partitions and you should be able to delete all 3 without damaging the MBR.

Read some of the links I posted, they'll help you understand.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 9th April 2009, 9:10 pm

I deleted the partitions, reformatted the drive, and re-installed WinXP. While the "uninstall.exe" file is gone and mbr.exe tells me the master boot sector (HD0, I suppose) is OK, Antivir still tells me that master boot sector HD1 is infected with BOO/Sinowal.A.

Am I safe because the computer is booted from master boot sector HD0 rather than HD1? Is there a way I can safely overwrite MBR HD1?

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 9th April 2009, 9:16 pm

Is there a way you can boot to the infected part of the MBR and we'll run the MBR tool on that part?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by kev on 10th April 2009, 9:08 am

I figured out that HD1 was a non-bootable flash drive, and I fixed that drive's MBR by using the tool mbrfix.exe to target that drive's MBR and used the fixmbr command on it. Antivir no longer reports infection now.

kev
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-05
OS OS : WinXP SP2
Points Points : 28062
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sinowal/Torpig Trojan? - global startup uninstall.exe

Post by Belahzur on 10th April 2009, 1:46 pm

Good. Smile

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum