BOO Sinowal.C

July 6, 2009 at 09:11:12
Specs: Windows XP
Hi, I have run AVIRA on my PC and it reported a virus infection from BOO/Sinowal.C in the master boot sector of my hard disk and in the master boot sectors of each of its partitions. To check this, I have uninstalled AVIRA and installed ESET NOD32 (the trial version), which found nothing. I have even run a network check with NOD32 from another pc in my home network but it does not find any viruses. There are some files it does not have access to, though (such as pagefile.sys and all the system files). Thus, I have unistalled NOD32 and installed Kaspersky 10 trial, which has found a Sinowal.a and a Sinowal.ck. It says it has removed them, but I feel very much confused about this matter. Are there any more checks I should make? I've read other posts, and I think I'd perhaps run Hijack this and MAMB, but I'm afraid I might mess things up.
Thank you very much

See More: BOO Sinowal.C

Report •


#1
July 6, 2009 at 09:33:31

Report •

#2
July 6, 2009 at 09:39:28
Yeah, sure I do.I have also run MAMB, which reports no infections and no malicious items anywhere.
I have also done a system scan with HJT. -this is the log (the folder "PROGRAMMI" corresponds to "PROGRAMS" -- this pc is in Italy). No entry was checked.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.41.55, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
D:\Documenti\File ricevuti\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1205D51-B06D-4900-B061-C7564C41AB5E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9dee96c816d5c) (gupdate1c9dee96c816d5c) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8418 bytes


Report •

#3
July 6, 2009 at 09:52:30
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 6, 2009 at 11:37:40
Thank you so much for your advice. The gmer file name is d6vnmrhq.exe, and the log is the following (it found malicious code in sector 61 of my HD!)

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 20:28:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwClose [0xBA78DC58]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6A1514]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xBA781C70]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA690282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA690474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6A1D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6A1FB8]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xBA7824FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xBA78DD50]
SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ZwOpenFile [0xBA02B540]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6A03FA]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xBA78251E]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xBA78DCA6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6A2422]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xBA78D4F0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6A17D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA68FF32]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP B6949410 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP B69497CA \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA064670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA064670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A57C8A0
Device \FileSystem\Fastfat \FatCdrom 890B91E0

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom0 89E35CF8
Device \FileSystem\Rdbss \Device\FsWrap 8A4FD3F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom1 89E35CF8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89E471C0
Device \Driver\atapi \Device\Ide\IdePort0 89E471C0
Device \Driver\atapi \Device\Ide\IdePort1 89E471C0
Device \Driver\atapi \Device\Ide\IdePort2 89E471C0
Device \Driver\atapi \Device\Ide\IdePort3 89E471C0
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 89E471C0
Device \FileSystem\Srv \Device\LanmanServer 8A2F5628

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A4F7D50
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A4F7D50
Device \FileSystem\Npfs \Device\NamedPipe 89FB1DD0
Device \FileSystem\Msfs \Device\Mailslot 89FF2660
Device \Driver\Vax347s \Device\Scsi\Vax347s1 89FA26E0
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port4Path0Target0Lun0 89FA26E0
Device \FileSystem\Fastfat \Fat 890B91E0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A005D30
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A005D30
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A005D30
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A005D30
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A005D30
Device \FileSystem\Cdfs \Cdfs 89F62158

---- Modules - GMER 1.0.15 ----

Module _________ BA6E4000-BA6FC000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x1d1c4581 size 0x1e4
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----


Report •

#5
July 6, 2009 at 11:48:21
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Please download MBR Rootkit Detector and save it on your desktop.
2) Pause/Stop all antivirus/spyware active protection. Then double click on mbr.exe to run it.
3) Select Run when you recieve a Security Warning
4) The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
5) A log file will the be created on your desktop where you ran mbr.exe
6) Copy and paste the contents of mbr.log on your next reply.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 6, 2009 at 11:53:50
You've got it -- amazing. This is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c4581 size 0x1e4 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C4581 !


Report •

#7
July 6, 2009 at 12:05:38
Execute a Batch File:

1) Go to Start -> Run, and type "notepad" into the box.
2) Press ok.
3) Copy and paste the following code into notepad:

mbr.exe -f


4) Go to File -> Save
5) To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
6) Enter fix.bat into the "File name:" box just above the "Save as Type" box.
7) Double click fix.bat on your desktop.

A new MBR log will be created. Please post this.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
July 6, 2009 at 12:18:27
I have run it, but the log seems to me right the same:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c4581 size 0x1e4 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C4581 !

I have also tried to give the command in a cmd window, but the result is the same. Is it possible that a hidden version of the virus continually rewrites the code into the master boot record? Should I boot in safe mode, or boot from the installation disk?


Report •

#9
July 6, 2009 at 12:31:05
Execute a Batch File:

1) Go to Start -> Run, and type "notepad" into the box.
2) Press ok.
3) Copy and paste the following code into notepad:

mbr.exe -c 0x1d1c4581 0x1e4 copy_of_mbr


4) Go to File -> Save
5) To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
6) Enter fix.bat into the "File name:" box just above the "Save as Type" box.
7) Double click fix.bat on your desktop.

A new filename called copy_of_mbr should be generated upload that file to rapidshare.com and private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#10
July 6, 2009 at 13:08:15
Refer: http://askbobrankin.com/fix_mbr.html

Your Windows XP setup CDROM has a tool called the Recovery Console, which is designed to help you repair a damaged master boot record or boot sector. To start the Recovery Console and fix your damaged MBR, follow these steps:

1. Restart your computer with the Windows XP Setup disk in the CDROM drive.
2. If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
3. After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
4. When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). If you press ENTER without typing a number, Recovery Console will quit and restart your computer.
5. Enter your Administrator password. If you don't enter the correct password, you cannot continue.
6. At the Recovery Console command prompt, type fixmbr and then verify that you want to proceed.

Your damaged MBR will be replaced with a shiny new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead.

NOTE: These procedures assume that you have only one operating system installed. If you are an advanced user and have a multi-boot system with more than one operating system, you may need to do some additional reading about the fixmbr and fixboot commands at the Microsoft website.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 6, 2009 at 13:29:11
I did as you said, typed fixmbr at at the recovery console command prompt, and replied "y". Then I booted and ran mbr.exe again, but I got the very same log as before:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c4581 size 0x1e4 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C4581 !


Report •

#12
July 6, 2009 at 13:32:59
Lets check other logs..

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 6, 2009 at 13:33:36
Just a question: would the virus (or trojan, or whatever) be killed for good if I format the HD from the XP installation CD?
EDIT: sorry, didn't see your reply...

Report •

#14
July 6, 2009 at 13:38:26
Yes if you redo whole format and rewrite MBR from scratch. Keep that as your last resort. Try this tool: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 6, 2009 at 14:18:49
This is the AVZ log:
http://rapidshare.com/files/2527690...
MD5: 21B988C72C8360C896FCD8A1ADF9A727

DDS:
http://rapidshare.com/files/2527695...
MD5: 6B8D1C156CDF8DD5A5EA88F6984E8731

Attach
http://rapidshare.com/files/2527698...
MD5: 16B7CF4BA669D7B822A4B763C52DA561

I am also going to try the f-secure tool...


Report •

#16
July 6, 2009 at 14:27:11
F-secure Blacklight says: no hidden items found. A tough guy. Is it just a Sinowal or some other evil stuff in disguise...?

Report •

#17
July 6, 2009 at 14:36:01
Its sinowal: http://www.virustotal.com/analisis/... I suggest format since none of the other tools are working against it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
July 6, 2009 at 14:54:18
OK, let's nuke it. But -- very many thanks for your help!

Report •

#19
July 9, 2009 at 09:54:56
Hi, I've done the format but there is more trouble... I don't know if you keep this thread tracked any more, thus I open a new one, called "Sinowal.C survives formatting"

Report •


Ask Question