Backdoor.Win32; sinowal knf (?) on laptop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by zamorazeke, Jan 12, 2012.

  1. zamorazeke

    zamorazeke Corporal

    Hello everyone,

    Zonealarm, repeatedly, since middle of 12/11 has reported, quarantined, and removed (?) what it terms a high-risk virus "Backdoor.Win32" from the laptop my wife has been using.

    I've performed preliminary recommended steps to best of my ability and now am including scan logs with this and subsequent post in effort to receive aid to resolve the problem.

    Any help you might give will be greatly appreciated. I Will do my best to follow directions when given, and I will be greatly relieved when my better-half can feel safe again on the internet. :)
     
  2. zamorazeke

    zamorazeke Corporal

    Here are attachments. Thanks!
     

    Attached Files:

  3. zamorazeke

    zamorazeke Corporal

    Final attachment...didn't "upload" attachments in the first post. Sorry:(
     

    Attached Files:

  4. zamorazeke

    zamorazeke Corporal

    Additionally, here is a copy of the ZoneAlarm scan log from this afternoon...:-o

    Thanks again for any directions to help me get rid of this...!!
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit
    Hi zamorazeke,

    http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

    http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

    • Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Attach this file to your next message. (How to attach)
     
  6. zamorazeke

    zamorazeke Corporal

    Thanks soooo much for your reply and instructions, which I trust I have followed correctly.:)

    Don't know if you want both logs, but am attaching them with this.

    Second operation, with MBR Check, I had to hit "N" and enter twice...

    Thanks again!!!
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    Code:
    18:13:42.0765 3224	\Device\Harddisk0\DR0 ( Backdoor.Win32.[COLOR="Red"][B]Sinowal.knf[/B][/COLOR] ) - will be cured on reboot
    18:13:42.0796 3224	\Device\Harddisk0\DR0 - ok
    18:13:42.0796 3224	\Device\Harddisk0\DR0 ( Backdoor.Win32.[B][COLOR="Red"]Sinowal.knf[/COLOR][/B] ) - User select action: Cure 
    18:14:17.0781 1156	Deinitialize success
    Looks like TDSSKiller was able to find and remove Sinowal.

    Are you having any other problems? Is ZA still reporting Sinowal?

    Let's run the below too:

    http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)
     
  8. thisisu

    thisisu Malware Consultant

    After you complete the above post, you can continue with these: :)

    http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

    After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

    ___________

    Make sure you to let me know how the system is running after you have performed these steps.
     
  9. zamorazeke

    zamorazeke Corporal

    Hi thisisu,

    ZoneAlarm has not indicated continued infection with sinowal since running the cleaner yesterday.

    However, in the interim before running the latest applications from your last two posts today, ZoneAlarm has sent this message several times (when booting up the computer, I think): "Registry editor is trying to modify an existing driver or service: EABUSB." I'm hoping this is nothing to be concerned about, especially now that the latest operations have been completed.

    I've run aswMBR and am attaching the log thereof, have re-run Disable/remove Windows Messenger, and have run C:\MGtools\analyse.exe, checking and "fixing" the file you indicated.

    I really appreciate your help, and I trust things have been restored to BTIC (Before-this-infection Condition).
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    This is a legit file. It's by Hewlett Packard's Quick Launch Buttons.

    Your Master Boot Record (MBR) reports as unknown, however, we see this a lot with Hewlett Packard computers. In your case I do not think it is a problem and is just due to how HP sets up their partition tables.

    Unless you are experiencing any other malware issues, you can proceed with the below as the rest of your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Take care and be safe! :)
     
  11. zamorazeke

    zamorazeke Corporal

    Thanks again for all your help. It appears the laptop is clear of problems at this time.

    I will go through the last steps assigned in order to complete a transition back to normal.

    Best regards!:)
     
  12. thisisu

    thisisu Malware Consultant

    You're welcome :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds