Avast WEBforum

Other => Viruses and worms => Topic started by: surfy on April 19, 2010, 03:20:05 PM

Title: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:20:05 PM

Hello,
I ran a Malwarebytes scan and it gave me 2 files infected. It said it removed them but I'd like to be sure the computer is clean.
Any help is greatly appreciated.

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:21:00 PM

Malware bytes log before and after removal.

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:23:12 PM

                                                                                                                                            edit

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:23:43 PM

---- EOF - GMER 1.0.15 ----

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:25:06 PM

OTL Extras logfile created on: 19/4/2010 3:50:55 μμ -

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:25:43 PM

 :)

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:26:56 PM

 
< End of report >

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:28:11 PM

 :)

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:28:43 PM

 :)

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:29:40 PM

CREATERESTOREPOINT

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:30:46 PM

 :)

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 03:31:15 PM

 :)

Title: Re: Backdoor Sinowal
Post by: Asyn on April 19, 2010, 03:33:30 PM

Could you please just attach your logs to one post...!?? ;)
asyn

Title: Re: Backdoor Sinowal
Post by: bong2x on April 19, 2010, 03:46:34 PM

 :o even guest can read it ;D

you expose your system ;)

attach only a log, text file format so that only user and helper can read it :D

its clean i think  ::)

Regards!!!

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 05:41:52 PM

Ok thank you.
Before I attach the logs is there any information I should remove from them?

I also keep getting a warning when I start the computer that windows firewall is disabled. It takes a while and then it enables itself. Is this normal? I get this on my laptop as well.

Thank you in advance.
 :)

Title: Re: Backdoor Sinowal
Post by: bong2x on April 19, 2010, 07:41:19 PM

Quote

I also keep getting a warning when I start the computer that windows firewall is disabled. It takes a while and then it enables itself. Is this normal? I get this on my laptop as well.

must be enable at start up.

something initiating at start-up?

you need help from essexboy


attach the log file of mbam and otl in your first and second post

Regards!!!

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 08:39:14 PM

Thank you for your reply.
I attached the logs.
I also noticed that since I upgraded to Avast 5.0 it takes a while for Avast to start up.
The icon at the bottom shows the Avast icon with a caution and after a few minutes it enables itself. It's as if windows firewall and Avast are the last things starting up.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 19, 2010, 08:46:55 PM

Sinow can have an MBR element

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 09:14:09 PM

Hello,
Thank you for your message.
I have attached the log.

Sorry, wrong one.. I have attached the right one now.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 19, 2010, 11:40:19 PM

Go to Start >> Run >> copy/paste below >> Press ENTER

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\WINDOWS\mbr.log).

This will repair the MBR for you

Title: Re: Backdoor Sinowal
Post by: surfy on April 19, 2010, 11:55:58 PM

Hello,
I tried but I get an error that windows is unable to find mbr.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 19, 2010, 11:58:26 PM

Could you copy the MBR.exe file to your C drive please.  I forgot it was on your desktop 

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 07:24:29 AM

Hello,
Thank you for your help.
I copied it to C drive and I got the same error. I copied it to C/windows and I saw a small black screen appear very quickly but no log is created.

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 04:13:14 PM

Hi,
Just to let you know that the computer I have opened the topic for is a desktop I use at home. I also have a laptop which is behaving in a similar manner. The laptop I connect to a wireless router at work and at home I disconnect the desktop from the router and connect the laptop. I can only connect one computer at a time on this router. Last week I got a bad MBR rootkit infection on the laptop which I thought was cleaned. However I have noticed that when I turn the laptop on as well I get a warning that windows firewall is disabled and Avast takes a while to enable. Firewall then enables itself.
I downloaded MBR and I have attached the log. I am not sure if you prefer I open a new topic for this one or if they can be treated the same way.

I am also wondering if it's a coincidence..

Thank you in advance.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 20, 2010, 08:44:36 PM

OK run MBR -f on the laptop the same as you did before (place in the windows folder - oops )

Then run MBR on both and post the logs

I would also recommend that you reset the router as well - do you know how to do that ?

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 10:19:43 PM

Hi,
Thanks again for your help.
I have reset the router.
I am not sure if I am doing something wrong. I downloaded the tool to my desktop. I ran the file and it gave me a log.
Then I cut and paste to C:windows.
Start - Run-  mbr -f and enter

I get a small black screen but it disappears quickly.
I didn't get a log. If I run mbr again then I get a log with the same results as before.
Hope it's correct.
Here is the log from the laptop.

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 10:23:26 PM

Log from the desktop.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 20, 2010, 10:29:21 PM

You will still get a copy of the malware but the actual mbr looks good now - You will need to do this for both systems - mark one laptop and the other desktop so I can tell them apart

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 11:12:01 PM

Hello,
Thank you again for your help.
Here is the laptop log.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 20, 2010, 11:16:06 PM

OK that confirmed the MBR has gone from the laptop  ;D

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 11:27:35 PM

That's great to hear!
Here is the desktop log.
Thank you so much. :)

Title: Re: Backdoor Sinowal
Post by: essexboy on April 20, 2010, 11:30:01 PM

And that one too  ;D

What problems do you have now ?

Title: Re: Backdoor Sinowal
Post by: surfy on April 20, 2010, 11:49:15 PM

That's great!

I turned them both off and started them again. When they start Avast's icon displays on the bottom with an exclamation mark inside a  triangle and then a  warning that computer is not protected because Windows firewall is disabled. They then enable themselves. This is true for both computers.

I am just wondering if this is normal.

Thanks again.
 :)

Title: Re: Backdoor Sinowal
Post by: essexboy on April 21, 2010, 08:38:11 PM

How long does it take for that to occur ?  As I sometimes find that my Avast will take two seconds or so to become fully active

Title: Re: Backdoor Sinowal
Post by: surfy on April 21, 2010, 11:50:09 PM

Hi,
The desktop takes about 30-40 seconds. I's an old machine though..
The laptop takes about 15-20 seconds. There were times today where the Avast icon came on without a warning, like it was enabled quickly.
I don't understand why both have suddenly been giving warnings that windows firewall is disabled.

On the laptop while it was infected malware came up with Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Thanks again for your help.

Title: Re: Backdoor Sinowal
Post by: essexboy on April 21, 2010, 11:53:02 PM

Do you have Avast set to load after windows ?

Title: Re: Backdoor Sinowal
Post by: surfy on April 22, 2010, 12:03:30 AM

I'm not sure. Is there a way for me to check?

Title: Re: Backdoor Sinowal
Post by: surfy on April 22, 2010, 11:15:10 AM

In the Avast settings
Load Avast! services only after loading other system services
It is unchecked.

This morning the Windows firewall warning appeared again as I turned on the laptop. Avast loaded quickly without a warning.

Thanks again.
 :)

Title: Re: Backdoor Sinowal
Post by: essexboy on April 22, 2010, 08:44:16 PM

Sounds like the vagaries of your system - but keep an eye on it and let me know if anything else untoward happens

Title: Re: Backdoor Sinowal
Post by: surfy on April 22, 2010, 11:59:18 PM

Thank you very much for your help.

I will see how it goes. I don't mind the security warning as long as it's not malware related. That's my only worry.

It hasn't been a good month for me computer-wise. I just opened another topic for my son's laptop.

http://forum.avast.com/index.php?topic=58840.0

If you have a chance please have a look. I am stuck at getting the computer to give me an OTL log.

Thank you again. You have been so helpful.
 :)
 

Title: Re: Backdoor Sinowal
Post by: essexboy on April 23, 2010, 12:02:41 AM

Got it  ;D