impalass96

Removal of Backdoor.Win32.Sinowal.knf

6 posts in this topic

Hi,

I have been infected with a root kit and I need guidance on how to remove this. It redirects me to different websites.

Thanks.

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7410

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

8/9/2011 11:55:51 AM

mbam-log-2011-08-09 (11-55-51).txt

Scan type: Quick scan

Objects scanned: 1

Time elapsed: 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16

Run by a at 17:03:28 on 2011-08-09

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.880 [GMT -7:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Symantec AntiVirus\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\oracle\ora92\bin\omtsreco.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Spark\Spark.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\amendez\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uWindow Title = Microsoft Internet Explorer provided by

uStart Page = hxxp://portal/

uDefault_Page_URL = hxxp://portal/

mDefault_Page_URL = hxxp://portal/

mStart Page = hxxp://www.dell.com

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)

uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)

uPolicies-explorer: NoThemesTab = 1 (0x1)

uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)

uPolicies-explorer: NoSMMyPictures = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 0 (0x0)

uPolicies-explorer: NoWebServices = 0 (0x0)

uPolicies-explorer: NoOnlinePrintsWizard = 0 (0x0)

uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)

uPolicies-explorer: Btn_Back = 1 (0x1)

uPolicies-explorer: Btn_Forward = 1 (0x1)

uPolicies-explorer: Btn_Stop = 1 (0x1)

uPolicies-explorer: Btn_Refresh = 1 (0x1)

uPolicies-explorer: Btn_Home = 1 (0x1)

uPolicies-explorer: Btn_Search = 1 (0x1)

uPolicies-explorer: Btn_Favorites = 1 (0x1)

uPolicies-explorer: Btn_History = 1 (0x1)

uPolicies-explorer: Btn_Folders = 1 (0x1)

uPolicies-explorer: Btn_Fullscreen = 2 (0x2)

uPolicies-explorer: Btn_Tools = 2 (0x2)

uPolicies-explorer: Btn_MailNews = 2 (0x2)

uPolicies-explorer: Btn_Size = 2 (0x2)

uPolicies-explorer: Btn_Print = 1 (0x1)

uPolicies-explorer: Btn_Edit = 2 (0x2)

uPolicies-explorer: Btn_Discussions = 2 (0x2)

uPolicies-explorer: Btn_Cut = 2 (0x2)

uPolicies-explorer: Btn_Copy = 2 (0x2)

uPolicies-explorer: Btn_Paste = 2 (0x2)

uPolicies-explorer: Btn_Encoding = 2 (0x2)

uPolicies-explorer: RestrictCpl = 0 (0x0)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = aim.exe

uPolicies-disallowrun: 2 = bckgzm.exe

uPolicies-disallowrun: 3 = chkrzm.exe

uPolicies-disallowrun: 4 = freecell.exe

uPolicies-disallowrun: 5 = hrtzzm.exe

uPolicies-disallowrun: 6 = icq.exe

uPolicies-disallowrun: 7 = icqlight.exe

uPolicies-disallowrun: 8 = limewire.exe

uPolicies-disallowrun: 9 = meebo.exe

uPolicies-disallowrun: 10 = mshearts.exe

uPolicies-disallowrun: 11 = msmsgs.exe

uPolicies-disallowrun: 12 = msnmsgr.exe

uPolicies-disallowrun: 13 = pinball.exe

uPolicies-disallowrun: 14 = rvsezm.exe

uPolicies-disallowrun: 15 = shvlzm.exe

uPolicies-disallowrun: 16 = skype.exe

uPolicies-disallowrun: 17 = sol.exe

uPolicies-disallowrun: 18 = spider.exe

uPolicies-disallowrun: 19 = trillian.exe

uPolicies-disallowrun: 20 = winmine.exe

uPolicies-disallowrun: 21 = yahoomessenger.exe

uPolicies-disallowrun: 22 = ymsgr6_beta.exe

uPolicies-system: NoDispAppearancePage = 0 (0x0)

uPolicies-system: NoColorChoice = 1 (0x1)

uPolicies-system: SetVisualStyle = \\\images$\desktop_theme\zune.msstyles

uPolicies-system: Wallpaper = \\\images$\retail\std_active_desktop-1280.jpg

uPolicies-system: WallpaperStyle = 2

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206653401605

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206653396578

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0013-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-130-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\amendez\application data\mozilla\firefox\profiles\i2f9y95f.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-9-29 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-9-29 108392]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-5 366640]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-9-29 1832072]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-5 22712]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110809.009\NAVENG.SYS [2011-8-9 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110809.009\NAVEX15.SYS [2011-8-9 1576312]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 hbzxlmjuaybvw;hbzxlmjuaybvw;\??\c:\windows\system32\drivers\orcbnnhw.sys --> c:\windows\system32\drivers\orcbnnhw.sys [?]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-1-25 30312]

S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-5-11 18432]

S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-5-11 14336]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-1-25 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-1-25 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-1-25 121576]

.

=============== Created Last 30 ================

.

2011-08-09 23:12:21 96512 ----a-w- c:\temp\bck2C.tmp

2011-08-09 23:12:21 95360 ----a-w- c:\temp\bck2B.tmp

2011-08-09 21:05:30 347147 ----a-w- c:\temp\jna1542345783173834514.dll

2011-08-09 20:05:12 96512 ----a-w- c:\temp\bckD.tmp

2011-08-09 20:05:11 95360 ----a-w- c:\temp\bckC.tmp

2011-08-09 19:42:13 96512 ----a-w- c:\temp\bck36.tmp

2011-08-09 19:42:13 95360 ----a-w- c:\temp\bck35.tmp

2011-08-09 17:21:28 347147 ------w- c:\temp\jna5058920059044856005.dll

2011-08-05 23:10:42 1404208 ----a-w- c:\temp\temporary directory 3 for tdsskiller.zip\TDSSKiller.exe

2011-08-05 23:10:42 1404208 ----a-r- c:\temp\temporary directory 1 for tdsskiller.zip\TDSSKiller.exe

2011-08-05 20:11:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-05 20:11:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-05 19:43:59 -------- d-----w- c:\program files\CCleaner

2011-08-05 17:09:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-05 15:53:15 347147 ------w- c:\temp\jna4471550528621682597.dll

2011-08-02 16:18:30 4608 ----a-w- c:\temp\i4jdel0.exe

2011-07-28 15:32:41 347147 ------w- c:\temp\jna3228157412847774601.dll

2011-07-27 20:30:08 347147 ------w- c:\temp\jna6975733060925450935.dll

2011-07-25 22:02:58 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-07-25 22:02:04 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-07-19 20:25:16 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-19 20:25:16 411368 ----a-w- c:\windows\system32\deploytk.dll

2011-07-19 20:25:16 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeploytk.dll

2011-07-19 19:58:35 836532 ----a-w- c:\temp\tbinstallation.exe

2011-07-19 19:58:35 16664352 ----a-w- c:\temp\jre-6u16-windows-i586.exe

2011-07-12 14:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-07-12 14:48:59 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2011-07-12 14:33:22 -------- d-----w- C:\WISE

.

==================== Find3M ====================

.

2011-06-27 18:29:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 17:04:14.75 ===============

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Share this post


Link to post
Share on other sites

screen317 thank you for your input, i will go ahead and follow your recommendations of formatting and re-installing the OS.

:(

Share this post


Link to post
Share on other sites

Thanks for letting me know.

Please do not hesitate to ask if you have any additional questions.

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.