Sinowal infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Egg90, Feb 1, 2013.

  1. Egg90

    Egg90 Private E-2

    Hi.

    MSE keeps picking up two Sinowal.gen!Y infections in the Windows/Temp folder. It says it's cleaned them and I should restart & run a full scan. However they keep popping back up almost immediately.
    Since then I've been using my phone to log into email/banking etc. Also, internet explorer is freezing regularly for about 10 secs at a time and scrolling down pages is very choppy. Chrome seems fine so I've been using that to research solutions.

    I've followed the READ & RUN ME FIRST thread to the end and HitmanPro picked up the two Sinewal infections as HKU\.... strings. I was very temped to let Hitman delete them but as instructed I ignored them & just saved the log.

    Hitman also showed some punkbuster files as suspicious but having had conflicts between punkbuster & AV sofware before I guess they are nothing to worry about.

    RogueKiller crashes while scanning at the "Searching for SERVICE" part, showing the "RogueKiller.exe has stopped working" window. It doesn't create RKreport, just a debug.log

    Windows 7 64bit

    Can I just let Hitman sort all my problems out? Please say it's that easy! :)
     

    Attached Files:

    Egg90, Feb 1, 2013
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    Please attach the requested Malwarebytes' Anti-Malware log.
     
    dr.moriarty, Feb 1, 2013
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Did you uninstall your anti-virus program? I don't see one in your logs.

    Please re-scan with Hitman Pro and have it delete everything under the headings of
    • Malware remnants
    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
    After reboot and when you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log

    Uninstall:
    Coupon Printer for Windows

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    • R3 - URLSearchHook: (no name) - - (no file)
    After clicking Fix, exit HJT.

    Next download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    Code:
    :Processes
explorer.exe

:Files
C:\ProgramData\3b7a2455-75b8-49b1-b57d-4b7c21e683cd
C:\ProgramData\bc180733-1ec6-4c30-b251-9c34de00a411
C:\ProgramData\ocnnsbkjgzdroxs
C:\Users\Rob\AppData\Local\Temp\*.*

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=""

Commands
[purity]
[emptytemp]
[start explorer]
[reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach these logs to your next reply:
    • C:\_OTM\MovedFiles\log.txt
    • C:\AdwCleaner[R1].txt
    • C:\AdwCleaner[S1].txt
    • C:\MGLogs.zip
    • mbam-log-2013-02-01 (17-26-50).txt

    How is your pc running now?
     
    dr.moriarty, Feb 1, 2013
    #3
  4. Egg90

    Egg90 Private E-2

    Thanks for the welcome, & especially the help!

    No I didn't uninstall my AV (Microsoft Security Essentials). It's currently in the state of "Potentially Unprotected : To complete the cleanup, you'll need to run a full scan to check for any remains of the threat." I haven't touched it since starting the READ & RUN ME FIRST instructions.

    I have done everything you said with a couple of hiccups.

    OTM got to the [purity] line then stopped responding, I went & got some breakfast, still not responding when I got back so I rebooted. On reboot OTM ran & created the log:

    Files moved on Reboot...
    C:\Users\Rob\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...

    I just pasted this log as it's short so I could attach the new Hitman log also.

    While running the MGTools getlogs.bat, SteelWerx Who Am I stoppped working which it didn't before, but I follwed the cmd window instructions and the rest of the processes went ahead.

    PC is running well, Internet Explorer no longer freezes & stutters. Security Essentials still wants me to run a full scan, and under quarantined items are the two Sinewal.gen!Y items showing the current date & time.
    Now what would happen before is I would select Remove All, do a full scan which would come up clean, then on reboot they would be detected again.
    As I said, I haven't touched it since coming here incase it messed up your recommended process.

    Can I now let Security Essentials do what it wants to do and see what happens?

    Thanks again.
     

    Attached Files:

    Egg90, Feb 2, 2013
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I'm preparing to head to work, and a quick review of your logs is looking good.
    After removing all items from MSE's quarantine folder, re-boot and run a full scan. Let me know of the results.

    dr.m
     
    dr.moriarty, Feb 2, 2013
    #5
  6. Egg90

    Egg90 Private E-2

    Yes everything seems fine now.

    MSE did pick up a different Java infection which is strange.

    Exploit:Java/CVE-2012-0507

    Items:
    containerfile:C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\3504b6e4-510560f0
    file:C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\3504b6e4-510560f0->hw.class
    file:C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\3504b6e4-510560f0->mac.class
    file:C:\Users\Rob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\3504b6e4-510560f0->test.class

    It removed it, then I went on the Java website and updated from version 7 update 11, to version 7 update 13.

    Fingers crossed.

    Thankyou very much for your help, I really appreciate it.
     
    Egg90, Feb 2, 2013
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :)
    You're very welcome and your logs are looking good!

    Now MSE is showing up in this set of logs.
    Did you also uninstall all of the older versions? There's no need to keep any of them -
    Java 7 Update 11
    Java(TM) 6 Update 21 (64-bit)
    Java(TM) 6 Update 21

    Referring to the OTM fix-
    - everything I selected did get fixed, though.

    *If you'd like to run one final scan, see the below link:

    Using ESET's Online Scanner

    ______________________________________________________________

    *If you are ready, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. It provides no "real-time" protection unless you purchase it and does not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Go back to step 4 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    3. If running Vista or Win 7, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Go to add/remove programs and uninstall HijackThis.
    5. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and/or deleted.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work through the below link:
    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Feb 2, 2013
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds